Tomcat
Professional
- Messages
- 2,688
- Reaction score
- 1,015
- Points
- 113
Metabase Q experts have discovered a new malware designed to steal cash from ATMs running Windows. How infection occurs has not been established, but most likely it requires physical access to the device.
An analysis of the sample carried out by the cybersecurity company showed that the Trojan codenamed FiXS is aimed at ATMs that support the CEN/XFS standard. Interaction with the malware is carried out through an external keyboard.
In the same way, for example, the commands Ploutus, Tyupkin are given, but the recruit's interface is more primitive: it does not require entering an activation key and displays only the number of bills in the cassettes. Also noteworthy is the ability of FiXS to launch cash withdrawal with a delay - 30 minutes after Windows restart (the GetTickCount API is used for this purpose).
The malware is delivered using the conhost.exe dropper, a well-known file virus written in Delphi. XOR is used to decrypt the embedded binary file weighing 105 KB, and the ShellExecute API function is used to launch it for execution.
According to experts, only Mexican banks have so far encountered FiXS attacks. The malicious dropper was identified by 65 out of 70 VirusTotal antiviruses (mostly as Neshta); the target malware was recognized by only 2 scanners on the service (result as of the morning of March 6).
(c) https://www.anti-malware.ru/news/2023-03-06-114534/40659
An analysis of the sample carried out by the cybersecurity company showed that the Trojan codenamed FiXS is aimed at ATMs that support the CEN/XFS standard. Interaction with the malware is carried out through an external keyboard.
In the same way, for example, the commands Ploutus, Tyupkin are given, but the recruit's interface is more primitive: it does not require entering an activation key and displays only the number of bills in the cassettes. Also noteworthy is the ability of FiXS to launch cash withdrawal with a delay - 30 minutes after Windows restart (the GetTickCount API is used for this purpose).
The malware is delivered using the conhost.exe dropper, a well-known file virus written in Delphi. XOR is used to decrypt the embedded binary file weighing 105 KB, and the ShellExecute API function is used to launch it for execution.
According to experts, only Mexican banks have so far encountered FiXS attacks. The malicious dropper was identified by 65 out of 70 VirusTotal antiviruses (mostly as Neshta); the target malware was recognized by only 2 scanners on the service (result as of the morning of March 6).
(c) https://www.anti-malware.ru/news/2023-03-06-114534/40659
