This malware turns ATM hijacking into a slot machine game

WinPot can force infected ATMs to automatically dispense cash. Just spin.

ATM wiretapping and jackpotting on the rise in the US Drills are the weapon of choice for criminals who spy on your activities at the cash point.

Researchers have found an oddly amusing sample of ATM malware which turns financial theft into a slot machine-style game.

On Tuesday, the Kaspersky Labs cybersecurity team explored the emergence of WinPot, an ATM hijacking malware family which first appeared in underground forums in March 2018.

While simple in its core functionality, WinPot -- named internally by Kaspersky as ATMPot -- is designed to compromise the ATMs of an unnamed but popular vendor and force these machines to empty their cassettes of all funds.

The interface of the malware is what makes the package unusual. Time has been spent on making the interface look like a slot machine, which is most likely a reference to "ATM jackpotting" -- a term used to describe the compromise of ATMs themselves.

The interface includes a visual indicator of an ATM's cassettes. Each one has a reel numbered 1 - 4, of which 4 is the maximum number of cash-out cassettes in a typical ATM.

A button labeled "spin," when pressed, starts the dispensation of cash. The "stop" button cuts off cash from being spewed out, while "scan" resets the 'game' and re-scans a machine for cassette and fund availability.

screenshot-2019-02-19-at-13-08-36.png

See also: Software executive exploits ATM loophole to steal $1 million

A trader of the malware in the Dark Web has recently advertised WinPot v.3, which also includes a revamped interface and a currently unidentified program called "ShowMeMoney," which may just be the new name of WinPot given its similar interface style.

screenshot-2019-02-19-at-11-50-32.png

screenshot-2019-02-19-at-11-50-28.png

WinPot displays similarities to Cutlet Maker, malware which needs to be loaded onto a flash drive and plugged into a USB port on in an ATM, made accessible through drilling. Once loaded, the malicious code cracks the system while a simulator finds ATM cassettes and mimics transactions to force the machine to dispense its available funds.

screenshot-2019-02-19-at-12-31-28.png

In 2017, Cutlet Maker was available for roughly $5,000 in the Dark Web. However, the price has now dropped to between $500 -- $1,000, which is the same bracket for today's WinPot buyers.

CNET: Airplane seat cameras could be your new spy in the sky

While many forms of ATM malware have the same core functionality -- given the rather basic, unsophisticated systems in which cash dispensers generally operate -- threat actors are continually innovating to overcome barriers designed to slowly improve the security posture of ATMs.

In particular, hackers are working on ways to overcome hard-coded limitations in how many notes per dispense are permitted; error handling, and means to trick ATM security systems and prevent malware strains from being detected.

TechRepublic: The year 2018 was the second most active year on record for data breaches, report says

'We expect to see more modifications of the existing ATM malware," Kaspersky says. "The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent execution of unauthorized software on it."

The determined will, however, always find a way to exploit ATMs to reap the proceeds. This was recently highlighted in the case of a software engineering chief who spotted a weakness in Huaxia Bank's core operating system which created a window at midnight in which unrecorded withdrawals could be made from ATMs.

Over the course of a year, the engineer withdrew and stashed roughly $1 million. When he was eventually caught, the software developer said the money was merely "resting" in his account and was going to be returned. 

Previous and related coverage