2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2017-01-12" ,
"extends_uuid" : "" ,
"info" : "OSINT - New Variant of Ploutus ATM Malware Observed in the Wild in Latin America" ,
"publish_timestamp" : "1484208979" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1484208963" ,
"uuid" : "58773a18-6384-4c59-8264-4400950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#6edb00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "circl:topic=\"finance\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208736" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58773a60-685c-4c45-a2b7-4c6e950d210f" ,
"value" : "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208756" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "58773a74-af68-47c1-ab18-40d1950d210f" ,
"value" : "Ploutus is one of the most advanced ATM malware families we\u00e2\u20ac\u2122ve seen in the last few years. Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before.\r\n\r\nFireEye Labs recently identified a previously unobserved version of Ploutus, dubbed Ploutus-D, that interacts with KAL\u00e2\u20ac\u2122s Kalignite multivendor ATM platform. The samples we identified target the ATM vendor Diebold. However, minimal code change to Ploutus-D would greatly expand its ATM vendor targets since Kalignite Platform runs on 40 different ATM vendors in 80 countries.\r\n\r\nOnce deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes. A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule\u00e2\u20ac\u2122s risk.\r\n\r\nThis blog covers the changes, improvements, and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat."
} ,
{
"category" : "Payload installation" ,
"comment" : "Launcher \u00e2\u20ac\u201c Diebold.exe (.NET)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208798" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "58773a9e-39ac-4e21-bd8b-4e99950d210f" ,
"value" : "c04a7cb926ccbf829d0a36a91ebf91bd"
} ,
{
"category" : "Payload installation" ,
"comment" : "Ploutus-D \u00e2\u20ac\u201c AgilisConfigurationUtility.exe (.NET)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208827" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "58773abb-4690-4628-ab9e-48c9950d210f" ,
"value" : "5af1f92832378772a7e3b07a0cad4fc5"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208866" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58773ae2-36c0-4094-a951-4b3c950d210f" ,
"value" : "C:\\Diebold\\EDC\\edclocal.dat"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208894" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "58773afe-aa30-4e7b-8c5f-41e0950d210f" ,
"value" : "Ploutos"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208895" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "58773aff-a2b4-42e5-b350-438d950d210f" ,
"value" : "DIEBOLDPL"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208896" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "58773b00-6fdc-4b90-a939-4d9b950d210f" ,
"value" : "KaligniteAPP"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208926" ,
"to_ids" : true ,
"type" : "windows-service-name" ,
"uuid" : "58773b1e-7638-4642-abfa-48a2950d210f" ,
"value" : "DIEBOLDP"
} ,
{
"category" : "Payload installation" ,
"comment" : "Ploutus-D \u00e2\u20ac\u201c AgilisConfigurationUtility.exe (.NET) - Xchecked via VT: 5af1f92832378772a7e3b07a0cad4fc5" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208952" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "58773b38-9a28-4da9-b172-4b7a02de0b81" ,
"value" : "aee97881d3e45ba0cae91f471db78aded16bcff1468d9e66edf9d3c0223d238f"
} ,
{
"category" : "Payload installation" ,
"comment" : "Ploutus-D \u00e2\u20ac\u201c AgilisConfigurationUtility.exe (.NET) - Xchecked via VT: 5af1f92832378772a7e3b07a0cad4fc5" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208952" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "58773b38-7b68-4c29-ae02-485602de0b81" ,
"value" : "dadf8493072a479950af004a58fa774f83fc984c"
} ,
{
"category" : "External analysis" ,
"comment" : "Ploutus-D \u00e2\u20ac\u201c AgilisConfigurationUtility.exe (.NET) - Xchecked via VT: 5af1f92832378772a7e3b07a0cad4fc5" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208953" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58773b39-4fec-4d59-8e46-432602de0b81" ,
"value" : "https://www.virustotal.com/file/aee97881d3e45ba0cae91f471db78aded16bcff1468d9e66edf9d3c0223d238f/analysis/1482659688/"
} ,
{
"category" : "Payload installation" ,
"comment" : "Launcher \u00e2\u20ac\u201c Diebold.exe (.NET) - Xchecked via VT: c04a7cb926ccbf829d0a36a91ebf91bd" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208954" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "58773b3a-e6b4-42e4-bf7b-4f0202de0b81" ,
"value" : "04db39463012add2eece6dfe6f311ad46b76dae55460eea30dec02d3d3f1c00a"
} ,
{
"category" : "Payload installation" ,
"comment" : "Launcher \u00e2\u20ac\u201c Diebold.exe (.NET) - Xchecked via VT: c04a7cb926ccbf829d0a36a91ebf91bd" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208955" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "58773b3b-8938-4752-aa62-45a802de0b81" ,
"value" : "66adf3ab1913e92be7f34adcd9be1b6eda677d59"
} ,
{
"category" : "External analysis" ,
"comment" : "Launcher \u00e2\u20ac\u201c Diebold.exe (.NET) - Xchecked via VT: c04a7cb926ccbf829d0a36a91ebf91bd" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484208955" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58773b3b-8dd0-4e55-b72d-4e4f02de0b81" ,
"value" : "https://www.virustotal.com/file/04db39463012add2eece6dfe6f311ad46b76dae55460eea30dec02d3d3f1c00a/analysis/1481662423/"
}
]
}
}