Kaspersky is back at it, uncovering significant cybercriminals! This malware, which is dubbed “WinPot”, has caused all news outlets to go crazy. It’s an ATM payload that causes the machine, kind of like a casino coin machine, to spew money.
Similar to Ploutus D, another malware piece, we briefly covered a few years back. That’s right. Your assets are safe and sound in an XP box. It would be easy to believe that a bank has everything.
Where did the malware come from? I traced it back to a forum (that’s not on the darknet like how most outlets are reporting) after an easy Google search, called “club2crd”. The primary concern I have with WinPot that I found on this forum is 8/18/2018 when a user called “Muhammad98” sold it for USD 1000. This WinPot version (rather older) targets Wincor ATMs manufactured by Nixdorf. It is an identical brand to the Ploutus D malware.
WinPot version 3 (this time) was another concern that dates back to December 9, 2018. “wav” is a user who appears to be a Senior member (yes, he’s super 1337). He was selling the trojan at 1 BTC (which was USD 6440.5 at the time). I doubt that half of these forums believe the value of their tool. I think “1 BTC” is a random number they use to buy almost anything they have. What about that old CC dump? That’s one bitcoin. This malware piece is not worth six thousand dollars, so don’t believe me.
After more complicated Google search queries, I discovered another strand of malware that was built off WinPot. It’s called “Annuit Coeptis” and is the same as WinPot. It costs 500 dollars.
Additional Muhammad98 is the person who sells this version. He was also the same one who sold WinPot’s previous version. What’s the difference? I have no clue. The functionality of the program is identical to the screenshot. After five minutes, I found a forum response stating that the program didn’t work. The program crashes because its author lacks proper coding skills. Below is a video showing the WinPot malware in action on an unspecified ATM.
WinPot malware is now able to hack ATMs with a slot machine interface
- Winpot Atm Malware download is designed to compromise ATMs and force them into emptying their cassettes.
- WinPot is an ATM malware that uses a coin machine interface to steal funds from ATMs.
Researchers analyzed a replacement malware sample called WinPot. It first appeared on underground forums in March 2018. WinPot is an ATM malware that uses a coin machine interface to steal money from ATMs. WinPot is also known as ATMPot. It is designed to attack ATMs and force them empty all their funds.
Interface to slot machine
WinPot malware hackers have spent a lot of time creating an interface that makes it look like a coin machine. This is likely to be the preferred term ATM-jackpotting.
The WinPot interface includes a visible indicator of an ATM’s cassettes.
- Each cassette has a reel numbered 1 through 4, where 4 refers to the maximum cash-out cassettes that can be found in an ATM.
- There are buttons on each cassette that can be labeled SPIN (SCAN), SLOT (SLOT), and STOP
- After victims press the SPIN button the ATM begins dispensing cash from their cassette.
- The SCAN button scans the ATM to update the numbers under SLOT.
- The STOP button will stop cash from being dispensed from the machine.
Researchers from Kaspersky Lab examined the WinPot sample and discovered more models that had been modified.
WinPot v. three was recently offered by the malware seller. It features a revamped interface as well as a program called “ShowMeMoney”, which is almost identical to the interface for coin machines. This mechanism almost looks like Cutlet Maker malware.
WinPot authors modify the malware to suit subsequent purposes.
- WinPot can create new samples and make modifications to the ATM security systems.
- To prevent WinPot from being misused by cash mules, modifications to the malware are made.
- Modifications can be made to overcome ATM limitations, improve the interface, and correct errors.
“We expect to find more modifications of the ATM malware. The best way to protect the ATM against this threat is to have device control software and process whitelisting software. The first will prevent the USB path from introducing malware directly to the ATM computer. Researchers wrote in a blog that the former will also block the USB path of installing malware directly into the ATM PC.