Mexican banks on target: ATM virus FiXS on a rise

A new ATM malware is detected to infect Mexico. The exact methodology of the malware is unknown, but it is said to spread via touchscreen.

According to Metabase Q: “The ATM malware is hidden inside another not-malicious-looking program.”

El equipo de Ocelot #threatintel ha descubierto un nuevo malware en ATMs que nombraron FiXS. Dos años después del regreso del malware Ploutus, que permitió extraer dinero de estos.
Leelo aquí: https://t.co/dxMsjWbhK0#Ciberseguridad #Malware #SeguridadInformática #Bancos pic.twitter.com/y28K1jvzJE

— Metabase Q (@MetabaseQ) February 27, 2023

FiXS is similar to the previous banking virus, Ploutus, which was used by cybercriminals to steal money through external keyboards and SMS.

Anatomy of FiXS

So far, some key relevant characteristics of FiXS malware are: 

• It instructs the ATM to dispense money 30 minutes after the last ATM reboot
• It is hidden inside another not-malicious-looking program
• It is vendor-agnostic, targeting any ATM that supports CEN XFS
• It interacts with the crooks via an external keyboard
• It waits for the Cassettes to be loaded to start dispensing
• It contains Russian metadata

FiXS is implemented with the CEN XFS APIs, which helps to run mostly on every Windows-based ATM with few adjustments. The way FiXS interacts with the criminal is via an external keyboard. 

“The malware runs in an infinite loop reading the keyboard and waiting to find the right combination to display,” said experts of Metabase Q.

FiXS the new ATM Malware in LATAMhttps://t.co/DNc3RkkToO pic.twitter.com/2LhbvuGK45

— Bank Security (@Bank_Security) March 5, 2023

Malware similar to FiXS

Some of the other malware used to target ATMs for stealing money are:

• Prilex
• Ploutus
• SUCEFUL
• GreenDispensor
• Ripper and 
• ATMii

All the malware above has evolved from ATM stealthier to phishing attacks. The good point here is that these attacks are limited to certain regions.

Some of the commonly used ATM viruses techniques

The functioning varies according to the malware and the region it targets. Some of the common techniques used are:

• Skimming: Such viruses read the magnetic strip on credit cards to make fraudulent transactions.
• Cash-out attacks: This malware exploits vulnerabilities in ATMs software.
• Network-based attacks: These viruses attack ATM network connections to steal information.
• RAM scraping: They are designed to monitor ATM’s memory in real-time to capture payment card data and PINs.

Once an ATM is infected with malware, the attacker can control its functioning remotely. 

Concluding thoughts

We have entered the era of ATM attacks, and prompt action will be needed if we see any deviation from normal procedures. To thwart these threats, testing and continuously upgrading hardware with supporting software is necessary. Also, reexamining the existing security procedures is what we need.