Ploutus-D ATM Malware Reported in U.S.
Ploutus-D is malware used for ATM jackpotting. It was discovered in Mexico in 2013, and is now getting reported as reaching the U.S. by Krebs on Security. This attack has been analysed by FireEye in 2017, showing some of the technical details behind the ATM attack and how the offenders might take advantage of physical access to dump money from an ATM.
Based on the reports, the attackers must first gain physical access to the ATM to install the malware. The first line of defense against this attack is a good physical security program to prevent unauthorized users from gaining physical access to the machine. Krebs on Security has published the Diebold Nixdorf security alert with mitigations recommended by Diebold Nixdorf.
Tenable can help with detecting the malware on infected ATMs, including both currently infected ATMs and ATMs that have malware infections which were not sufficiently cleaned.
Malicious Process Detection
Running Plugin 59275, Malicious Process Detection detects if the malware is currently running on the system.
Running Plugin 88961, Malicious File Detection against the file system detects the infection on disk.
Indicators of Compromise Detection
Using Indicators Of Compromise (IOCs), you can detect if you’re currently infected. Additionally, left-behind remnants of a previous infection may also be reported.
Detect the registry entry “\\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=”Diebold.exe,%system32%/userinit.exe”:
- Plugin 70629, Microsoft Windows AutoRuns Winlogon
Detect the service “DIEBOLDP”:
- Plugin 70626, Microsoft Windows AutoRuns Services and Drivers
Detecting process “Diebold.exe”:
- Plugin 70329, Microsoft Windows Process Information
- Plugin 77668, Windows Prefetch Folder
- Plugin 92423, Windows Explorer Recently Executed Programs
- Plugin 92424, MUICache Program Execution History
Look at processes showing up as unsigned:
- Plugin 104856, Malicious Process Detection: Authenticode Not Signed
الخاتمة
Jackpotting attacks such as Ploutus have been observed in the U.S. These attacks can be better mitigated with appropriate physical and software security controls. It’s yet another reminder to be aware of your Cyber Exposure. The time has long passed where servers in a data center and computers on employee’s desks are the only infrastructure an organization needs to include in its security program.
مقالات ذات صلة
Cybersecurity Snapshot: North Korea’s Cyber Spies Hunt for Nuclear Secrets, as Online Criminals Ramp Up AI Use in the EU
July 26, 2024Check out a CISA-FBI advisory about North Korean cyber espionage on critical infrastructure orgs. Plus, what Europol found about the use of AI for cybercrime. Meanwhile, the risk concerns that healthcare leaders have about generative AI. And a poll on water plant cybersecurity. And much more!
Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers
May 16, 2024Tenable Cloud Security Research Team has recently discovered that Kinsing malware, known for targeting Linux-based cloud infrastructures, exploits Apache Tomcat servers with new advanced stealth techniques. Explore our analysis and the indicators of compromise in this report.
Shifting the Paradigm: Why the Cyber Insurance Industry Should Focus on Preventive Security
May 13, 2024As claims and losses climb, it’s clear that preventive security should be prioritized more when designing a cyber insurance policy. Here’s why preventive security investments are cost effective and can lead to lower premiums.
Cybersecurity Snapshot: RansomHub Group Triggers CISA Warning, While FBI Says North Korean Hackers Are Targeting Crypto Orgs
September 6, 2024Cybersecurity teams must beware of RansomHub, a surging RaaS gang. Plus, North Korea has unleashed sophisticated social-engineering schemes against crypto employees. Meanwhile, a new SANS report stresses the importance of protecting ICS and OT systems. And a Tenable poll sheds light on cloud-native VM. And much more!
Cybersecurity Snapshot: Schools Suffer Heavy Downtime Losses Due To Ransomware, as Banks Grapple with AI Challenges
August 30, 2024The cost of ransomware downtime in schools gets pegged at $500K-plus per day. Meanwhile, check out the AI-usage risks threatening banks’ cyber resilience. Plus, Uncle Sam is warning about a dangerous Iran-backed hacking group. And get the latest on AI-system inventories, the APT29 nation-state attacker and digital identity security!
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
August 28, 2024A joint Cybersecurity Advisory highlights Iran-based cyber actor ransomware activity targeting U.S. organizations. The advisory includes CVEs exploited, alongside techniques, tactics and procedures used by the threat actors.
- Malware
- Plugins