SlideShare a Scribd company logo

Jackpot! sbancare un atm con ploutus.d

Antonio Parata
Antonio Parata

This presentation describes how the Ploutus.D ATM malware works.

Software
1 of 38
Download to read offline
JACKPOT! Sbancare un ATM con Ploutus.D Antonio Parata - @s4tan
$whoami ● Twitter: https://twitter.com/s4tan ● Threat Analyst at ○ Malware Analysis, Malware Lab Developer ● Phrack Author ○ http://www.phrack.org/papers/dotnet_instrumentation.html ● Owasp Italy Board since 2006 ● Passionate F# developer ○ https://github.com/enkomio ○ https://github.com/taipan-scanner/Taipan
About Fox-IT & Threat InTELL…
Taipan Web Application Security Scanner https://github.com/taipan-scanner/Taipan
Why target ATMs? * FAKE: http://scobbs.blogspot.it/2015/01/why-willie-sutton-robbed-banks-real.html
Are ATMs a real target for criminals?
What is an ATM? “An automated teller machine (ATM) is an electronic telecommunications device that enables customers of financial institutions to perform financial transactions, such as cash withdrawals, deposits, transfer funds, or obtaining account information, at any time and without the need for direct interaction with bank staff.” - Wikipedia
How to test an ATM? ● ATMs are like regular computers with custom hardware and software ○ ATM file list https://dokumen.tips/documents/ejemplodeimagennorton-ghosttxt.html ● One of the most difficult parts is to obtain an ATM for testing purpose ● If you have the money you can buy one on e-bay :)
ATM Internals
Ploutus.D ATM Malware ● During the past years various malwares were created in order to attack ATM in order to force the ejection of all the bills stored inside the various dispensers ○ This kind of attack is known as Jackpotting, after the seminal talk done at BH USA 2010 by Barnaby Jack ● In 2013 FireEye discovered a new ATM malware, dubbed Ploutus ([1]) ○ At the time it was known as Ploutus (without D) and targeting Mexican banks ● In 2017 FireEye released a new article about a new Ploutus variant, dubbed Ploutus.D ([2]) ○ The D suffix was added due to the fact that it targets Diebold ATM vendor [1] https://www.symantec.com/connect/blogs/criminals-hit-atm-jackpot [2] https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html
Ploutus.D ATM Malware ● March 2017: ZingBox published an article about a new version of Ploutus.D which added the capability to be controlled remotely ([3]) ● January 2018: the reporter Brian Krebs published an article about Ploutus.D infecting also US ATMs ([4]). This new variant was described by ZingBox in [5] and named as Piolin. [3] https://www.zingbox.com/blog/ploutus-d-malware-turns-atms-into-iot-devices/ [4] https://krebsonsecurity.com/tag/ploutus-d/ [5] https://www.zingbox.com/blog/piolin-the-first-atm-malware-jackpotting-atms-in-usa/
Is the DIEBOLD brand used in Italy?
Interaction with the ATM Src: http://www.kal.com/en/kal-products [1] https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html [2] https://www.finextra.com/newsarticle/6822/diebold-releases-agilis-power-platform-for-multi-vendor-atm-upgrades ● According to FE ([1]) interactions with the ATM are done through the Kalignite Platform ● This framework is an abstraction level above the XFS middleware ● The usage of this framework implies that the author(s) has a good understanding of how an ATM works UPDATE: Recent Ploutus.D samples seem to have moved from Kalignite framework to Diebold Agilis Power middleware (based on INvolve middleware platform from Nexus Software [2]), this according to the name of the referenced files.
Hello Ploutus.D
Reading user input Set Keyboard Hook in order to intercept all keyboard keys Dispatch the pressed key to the handler
User Interface Write directly to DISPLAY1 device Loop forever until the UI is active
Ploutus.D Framework ● Ploutus.D is a full framework ○ Some of these file are used to encrypt content or to interact with dispenser. Relevant file to interact with the ATM are: ■ AxInterop.CASHDISPENSER3Lib.dll ■ AxInterop.PINPAD3Lib.dll ■ Interop.CASHDISPENSER3Lib.dll ■ Interop.PINPAD3Lib.dll
Ploutus.D Framework ● Some of the identified files are: ○ Launcher: it is the initial launcher, the one which use the attacker to install the malware ○ XFSConsole.exe: it allows to interact with XFS Middleware ○ NewAge.exe: it allows to connect remotely to the ATM (more on this later) ○ AgilisConfigurationUtility.exe: it allows to interact with the ATM in order to dispense money
How to access the ATM computer ● Accessing the ATM via software vulnerability ○ Exploit some vulnerability in the user interaction software (sticky keys…) ○ AFAIK never use in real attack ● Accessing the ATM through internal network compromise ○ Accessing the ATM through an internal network which was previously compromised ● Physically access the ATM ○ Physically accessing the ATM by compromising the case or by opening it
How to access the ATM computer
How Ploutus.D works? Image not strictly related to Ploutus.D, but same process. Source: https://phys.org/news/2014-10-atm-windows-safe-money.html
Ploutus.D initialization Generate HWID Generate ATMID (this info is needed for activation) ● Once the malware is installed and initialized, it creates a new configuration file (P.bin) where it stores, among other info, the ATMID pseudo-random value
Ploutus.D activation ● The activation step needs two data ○ ATMID a pseudo-random number generated during the first execution of the malware ○ The current day number (1-31) ○ The current month number (1-12) ● The encryption is done by three external libraries: ○ EncryptD.dll: It is in charge for “encrypt” the day number ○ EncryptM.dll: It is in charge for “encrypt” the month number ○ EncryptID.dll: It is in charge for “encrypt” the ATM ID number ● The activation holds for one day only, then it needs to be activated again
Ploutus.D activation ATMID Is the computed value (b variable) equals to the inserted activation code? 1 2 3
Ploutus.D activation
Ploutus.D activation
Remote ATM connection ● Ploutus.D in its initial releases, only supported a physical connection to the ATM in order to plug a keyboard and interacts with it ● Latest version added a new feature that allows to connect via WiFi to the ATM ○ It uses a legit SimpleWifi.dll library ○ It is necessary to connect a WiFi dongle to the ATM ● This version is protected in a different way than the previous one, which makes the usage of de4dot not valid. ○ For more info on how to bypass this protection take a look at my article: http://antonioparata.blogspot.it/2018/02/analyzing-nasty-net-protection-of .html
Remote ATM connection
Remote ATM connection
Software Obfuscation ● Ploutus.D uses .NET Reactor a commercial .NET code protector to obfuscate its code ○ NecroBit is a powerful protection technology which provides complete protection for your sensitive intellectual property by replacing the CIL code within methods with encrypted code. This way it is not possible to decompile/reverse engineer your method source code. ● Luckily for us the ATM component can be deobfuscated with the open source software de4dot ● The main.exe (the one in charge for remote connection) seems to crash de4dot so a manual unpacking process is necessary ○ The most difficult aspect to reverse is to obtains the real MSIL code
Software Obfuscation
Software Obfuscation ● The compile method is in charge for compiling MSIL code to machine specific code. This can be (ab)used by obfuscators.
Software Obfuscation ● Let’s use WinDBG with SOS extension to see if the compileMethod is hooked Set breakpoint on clrjit.dll load Set breakpoint on clrJit!getJit to get the address of the compileMethod method
Software Obfuscation By executing the getJit method we obtain the address of compileMethod which is 0x70f049b0 Let’s execute the program a bit and then check again the address in the VTable of the compileMethod
Software Obfuscation ● Let’s identify which one is the replacement function. By inspecting the call stack we can identify who called the real compileMethod. ● With this information we can now rebuild the the assembly with the real method body
Software Protection
Q&A Thanks!
References ● Analyzing the nasty .NET protection of the Ploutus.D malware. ○ http://antonioparata.blogspot.it/2018/02/analyzing-nasty-net-protection-of.html ● .NET Instrumentation via MSIL bytecode injection ○ http://www.phrack.org/papers/dotnet_instrumentation.html ● MASTERMIND BEHIND EUR 1 BILLION CYBER BANK ROBBERY ARRESTED IN SPAIN ○ https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-r obbery-arrested-in-spain ● New Variant of Ploutus ATM Malware Observed in the Wild in Latin America ○ https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html ● Ploutus-D Malware turns ATMs into IoT Devices ○ https://www.zingbox.com/blog/ploutus-d-malware-turns-atms-into-iot-devices/

Recommended

Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalNSConclave
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 

Recommended

Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalNSConclave
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Dark web presentation
Dark web presentationDark web presentation
Dark web presentationTo Mal
 
ELECTRONIC FRAUD TACTICS
ELECTRONIC FRAUD TACTICS ELECTRONIC FRAUD TACTICS
ELECTRONIC FRAUD TACTICS ICFAI Business School
 
Trojan Horse Virus
Trojan Horse VirusTrojan Horse Virus
Trojan Horse Virussitinursyafiqah
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)JAINAM KAPADIYA
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
COSCUP 2016: Project 52 每週一個小專案來學習 Golang
COSCUP 2016: Project 52 每週一個小專案來學習 GolangCOSCUP 2016: Project 52 每週一個小專案來學習 Golang
COSCUP 2016: Project 52 每週一個小專案來學習 GolangEvan Lin
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingA Raheem Ansari
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldAvishek Datta
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
Introduction to Lightning Network
Introduction to Lightning NetworkIntroduction to Lightning Network
Introduction to Lightning NetworkAlan Carbery
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Illuminating the dark web
Illuminating the dark webIlluminating the dark web
Illuminating the dark webJisc
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
IP Spoofing
IP SpoofingIP Spoofing
IP SpoofingAkmal Hussain
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 

More Related Content

What's hot

Dark web presentation
Dark web presentationDark web presentation
Dark web presentationTo Mal
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
COSCUP 2016: Project 52 每週一個小專案來學習 Golang
COSCUP 2016: Project 52 每週一個小專案來學習 GolangCOSCUP 2016: Project 52 每週一個小專案來學習 Golang
COSCUP 2016: Project 52 每週一個小專案來學習 GolangEvan Lin
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldAvishek Datta
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
Introduction to Lightning Network
Introduction to Lightning NetworkIntroduction to Lightning Network
Introduction to Lightning NetworkAlan Carbery
 
Illuminating the dark web
Illuminating the dark webIlluminating the dark web
Illuminating the dark webJisc
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 

What's hot (20)

Dark web presentation
Dark web presentationDark web presentation
Dark web presentation
 
ELECTRONIC FRAUD TACTICS
ELECTRONIC FRAUD TACTICS ELECTRONIC FRAUD TACTICS
ELECTRONIC FRAUD TACTICS
 
Trojan Horse Virus
Trojan Horse VirusTrojan Horse Virus
Trojan Horse Virus
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
COSCUP 2016: Project 52 每週一個小專案來學習 Golang
COSCUP 2016: Project 52 每週一個小專案來學習 GolangCOSCUP 2016: Project 52 每週一個小專案來學習 Golang
COSCUP 2016: Project 52 每週一個小專案來學習 Golang
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Management
 
Introduction to Lightning Network
Introduction to Lightning NetworkIntroduction to Lightning Network
Introduction to Lightning Network
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Illuminating the dark web
Illuminating the dark webIlluminating the dark web
Illuminating the dark web
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
 
IP Spoofing
IP SpoofingIP Spoofing
IP Spoofing
 

Similar to Jackpot! sbancare un atm con ploutus.d

HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
Smart Contract: QA Role for Decentralized Platform
Smart Contract: QA Role for Decentralized PlatformSmart Contract: QA Role for Decentralized Platform
Smart Contract: QA Role for Decentralized PlatformMarco Andrade
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsIRJET Journal
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecurityOKsystem
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdfdino715195
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 

Similar to Jackpot! sbancare un atm con ploutus.d (20)

HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
Smart Contract: QA Role for Decentralized Platform
Smart Contract: QA Role for Decentralized PlatformSmart Contract: QA Role for Decentralized Platform
Smart Contract: QA Role for Decentralized Platform
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones Security
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
 

More from Antonio Parata

Demystify web application vulnerability assessment
Demystify web application vulnerability assessmentDemystify web application vulnerability assessment
Demystify web application vulnerability assessmentAntonio Parata
 
Program Analysis: a security perspective
Program Analysis: a security perspectiveProgram Analysis: a security perspective
Program Analysis: a security perspectiveAntonio Parata
 
EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?Antonio Parata
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoAntonio Parata
 
Web Application Security: Bug Hunting e Code Review
Web Application Security: Bug Hunting e Code ReviewWeb Application Security: Bug Hunting e Code Review
Web Application Security: Bug Hunting e Code ReviewAntonio Parata
 

More from Antonio Parata (15)

Demystify web application vulnerability assessment
Demystify web application vulnerability assessmentDemystify web application vulnerability assessment
Demystify web application vulnerability assessment
 
Program Analysis: a security perspective
Program Analysis: a security perspectiveProgram Analysis: a security perspective
Program Analysis: a security perspective
 
EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
 
Owasp Day 3
Owasp Day 3Owasp Day 3
Owasp Day 3
 
Web Application Security: Bug Hunting e Code Review
Web Application Security: Bug Hunting e Code ReviewWeb Application Security: Bug Hunting e Code Review
Web Application Security: Bug Hunting e Code Review
 
Smau 2006
Smau 2006Smau 2006
Smau 2006
 
Smau 2007
Smau 2007Smau 2007
Smau 2007
 
Hat 2008
Hat 2008Hat 2008
Hat 2008
 
Openexp 2006
Openexp 2006Openexp 2006
Openexp 2006
 
Nss 2007
Nss 2007Nss 2007
Nss 2007
 
Infosecurity 2007
Infosecurity 2007Infosecurity 2007
Infosecurity 2007
 
Infosecurity 2008
Infosecurity 2008Infosecurity 2008
Infosecurity 2008
 

Recently uploaded

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 

Recently uploaded (20)

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 

Jackpot! sbancare un atm con ploutus.d

  • 1. JACKPOT! Sbancare un ATM con Ploutus.D Antonio Parata - @s4tan
  • 2. $whoami ● Twitter: https://twitter.com/s4tan ● Threat Analyst at ○ Malware Analysis, Malware Lab Developer ● Phrack Author ○ http://www.phrack.org/papers/dotnet_instrumentation.html ● Owasp Italy Board since 2006 ● Passionate F# developer ○ https://github.com/enkomio ○ https://github.com/taipan-scanner/Taipan
  • 3. About Fox-IT & Threat InTELL…
  • 4. Taipan Web Application Security Scanner https://github.com/taipan-scanner/Taipan
  • 5. Why target ATMs? * FAKE: http://scobbs.blogspot.it/2015/01/why-willie-sutton-robbed-banks-real.html
  • 6. Are ATMs a real target for criminals?
  • 7. What is an ATM? “An automated teller machine (ATM) is an electronic telecommunications device that enables customers of financial institutions to perform financial transactions, such as cash withdrawals, deposits, transfer funds, or obtaining account information, at any time and without the need for direct interaction with bank staff.” - Wikipedia
  • 8. How to test an ATM? ● ATMs are like regular computers with custom hardware and software ○ ATM file list https://dokumen.tips/documents/ejemplodeimagennorton-ghosttxt.html ● One of the most difficult parts is to obtain an ATM for testing purpose ● If you have the money you can buy one on e-bay :)
  • 10. Ploutus.D ATM Malware ● During the past years various malwares were created in order to attack ATM in order to force the ejection of all the bills stored inside the various dispensers ○ This kind of attack is known as Jackpotting, after the seminal talk done at BH USA 2010 by Barnaby Jack ● In 2013 FireEye discovered a new ATM malware, dubbed Ploutus ([1]) ○ At the time it was known as Ploutus (without D) and targeting Mexican banks ● In 2017 FireEye released a new article about a new Ploutus variant, dubbed Ploutus.D ([2]) ○ The D suffix was added due to the fact that it targets Diebold ATM vendor [1] https://www.symantec.com/connect/blogs/criminals-hit-atm-jackpot [2] https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html
  • 11. Ploutus.D ATM Malware ● March 2017: ZingBox published an article about a new version of Ploutus.D which added the capability to be controlled remotely ([3]) ● January 2018: the reporter Brian Krebs published an article about Ploutus.D infecting also US ATMs ([4]). This new variant was described by ZingBox in [5] and named as Piolin. [3] https://www.zingbox.com/blog/ploutus-d-malware-turns-atms-into-iot-devices/ [4] https://krebsonsecurity.com/tag/ploutus-d/ [5] https://www.zingbox.com/blog/piolin-the-first-atm-malware-jackpotting-atms-in-usa/
  • 12. Is the DIEBOLD brand used in Italy?
  • 13. Interaction with the ATM Src: http://www.kal.com/en/kal-products [1] https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html [2] https://www.finextra.com/newsarticle/6822/diebold-releases-agilis-power-platform-for-multi-vendor-atm-upgrades ● According to FE ([1]) interactions with the ATM are done through the Kalignite Platform ● This framework is an abstraction level above the XFS middleware ● The usage of this framework implies that the author(s) has a good understanding of how an ATM works UPDATE: Recent Ploutus.D samples seem to have moved from Kalignite framework to Diebold Agilis Power middleware (based on INvolve middleware platform from Nexus Software [2]), this according to the name of the referenced files.
  • 15. Reading user input Set Keyboard Hook in order to intercept all keyboard keys Dispatch the pressed key to the handler
  • 16. User Interface Write directly to DISPLAY1 device Loop forever until the UI is active
  • 17. Ploutus.D Framework ● Ploutus.D is a full framework ○ Some of these file are used to encrypt content or to interact with dispenser. Relevant file to interact with the ATM are: ■ AxInterop.CASHDISPENSER3Lib.dll ■ AxInterop.PINPAD3Lib.dll ■ Interop.CASHDISPENSER3Lib.dll ■ Interop.PINPAD3Lib.dll
  • 18. Ploutus.D Framework ● Some of the identified files are: ○ Launcher: it is the initial launcher, the one which use the attacker to install the malware ○ XFSConsole.exe: it allows to interact with XFS Middleware ○ NewAge.exe: it allows to connect remotely to the ATM (more on this later) ○ AgilisConfigurationUtility.exe: it allows to interact with the ATM in order to dispense money
  • 19. How to access the ATM computer ● Accessing the ATM via software vulnerability ○ Exploit some vulnerability in the user interaction software (sticky keys…) ○ AFAIK never use in real attack ● Accessing the ATM through internal network compromise ○ Accessing the ATM through an internal network which was previously compromised ● Physically access the ATM ○ Physically accessing the ATM by compromising the case or by opening it
  • 20. How to access the ATM computer
  • 21. How Ploutus.D works? Image not strictly related to Ploutus.D, but same process. Source: https://phys.org/news/2014-10-atm-windows-safe-money.html
  • 22. Ploutus.D initialization Generate HWID Generate ATMID (this info is needed for activation) ● Once the malware is installed and initialized, it creates a new configuration file (P.bin) where it stores, among other info, the ATMID pseudo-random value
  • 23. Ploutus.D activation ● The activation step needs two data ○ ATMID a pseudo-random number generated during the first execution of the malware ○ The current day number (1-31) ○ The current month number (1-12) ● The encryption is done by three external libraries: ○ EncryptD.dll: It is in charge for “encrypt” the day number ○ EncryptM.dll: It is in charge for “encrypt” the month number ○ EncryptID.dll: It is in charge for “encrypt” the ATM ID number ● The activation holds for one day only, then it needs to be activated again
  • 24. Ploutus.D activation ATMID Is the computed value (b variable) equals to the inserted activation code? 1 2 3
  • 27. Remote ATM connection ● Ploutus.D in its initial releases, only supported a physical connection to the ATM in order to plug a keyboard and interacts with it ● Latest version added a new feature that allows to connect via WiFi to the ATM ○ It uses a legit SimpleWifi.dll library ○ It is necessary to connect a WiFi dongle to the ATM ● This version is protected in a different way than the previous one, which makes the usage of de4dot not valid. ○ For more info on how to bypass this protection take a look at my article: http://antonioparata.blogspot.it/2018/02/analyzing-nasty-net-protection-of .html
  • 30. Software Obfuscation ● Ploutus.D uses .NET Reactor a commercial .NET code protector to obfuscate its code ○ NecroBit is a powerful protection technology which provides complete protection for your sensitive intellectual property by replacing the CIL code within methods with encrypted code. This way it is not possible to decompile/reverse engineer your method source code. ● Luckily for us the ATM component can be deobfuscated with the open source software de4dot ● The main.exe (the one in charge for remote connection) seems to crash de4dot so a manual unpacking process is necessary ○ The most difficult aspect to reverse is to obtains the real MSIL code
  • 32. Software Obfuscation ● The compile method is in charge for compiling MSIL code to machine specific code. This can be (ab)used by obfuscators.
  • 33. Software Obfuscation ● Let’s use WinDBG with SOS extension to see if the compileMethod is hooked Set breakpoint on clrjit.dll load Set breakpoint on clrJit!getJit to get the address of the compileMethod method
  • 34. Software Obfuscation By executing the getJit method we obtain the address of compileMethod which is 0x70f049b0 Let’s execute the program a bit and then check again the address in the VTable of the compileMethod
  • 35. Software Obfuscation ● Let’s identify which one is the replacement function. By inspecting the call stack we can identify who called the real compileMethod. ● With this information we can now rebuild the the assembly with the real method body
  • 38. References ● Analyzing the nasty .NET protection of the Ploutus.D malware. ○ http://antonioparata.blogspot.it/2018/02/analyzing-nasty-net-protection-of.html ● .NET Instrumentation via MSIL bytecode injection ○ http://www.phrack.org/papers/dotnet_instrumentation.html ● MASTERMIND BEHIND EUR 1 BILLION CYBER BANK ROBBERY ARRESTED IN SPAIN ○ https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-r obbery-arrested-in-spain ● New Variant of Ploutus ATM Malware Observed in the Wild in Latin America ○ https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html ● Ploutus-D Malware turns ATMs into IoT Devices ○ https://www.zingbox.com/blog/ploutus-d-malware-turns-atms-into-iot-devices/