{
	"id": "75d9597e-102a-48fc-a56b-e9c34ada071d",
	"created_at": "2026-04-06T00:06:40.662669Z",
	"updated_at": "2026-04-10T03:21:55.242619Z",
	"deleted_at": null,
	"sha1_hash": "2bd58cd9939681c4cc8f715d27b99bf276bc1ec2",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 373763,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 17:53:45 UTC\r\nOn September 4, 2013, we were the first to discover and add detections for a new malware targeting ATMs named\r\nBackdoor.Ploutus, as reported by our Rapid Release Definitions. Recently, we identified a new variant of this\r\nthreat and realized that it has been improved and translated into English, suggesting that the ATM software is now\r\nbeing used in other countries.\r\nSymantec added a generic detection for this new variant as Backdoor.Ploutus.B on October 25, 2013, so Ploutus\r\ncan be detected when it is inactive and when it is running.\r\nInfection methodology\r\nAccording to external sources, the malware is transferred to the ATM by physically inserting a new boot disk into\r\nthe CD-ROM drive. The boot disk then transfers malware.\r\nImpact\r\nThe criminals have ported the malware to a more robust architecture and translated to English which suggests that\r\nthey know the same ATM software can be exploited in other countries outside of Latin America.\r\nThe number of banks affected by Backdoor.Ploutus.B is out of the scope of this research and it should be handled\r\nby the affected parties.\r\nNew characteristics for Backdoor.Ploutus.B\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=54602160-07ea-4dbb-8794-\r\n14725ea4c8ba\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 5\n\nThe binary name of the English version is “Ploutos.exe” instead of “PloutusService.exe” and it has been changed\r\nfrom a standalone program to a modular architecture.\r\n \r\nFigure 1. Ploutus modular architecture\r\n \r\nThe new NCRDRVP service is highly obfuscated, hides its malicious actions to avoid detection, and may perform\r\nthe following actions:\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=54602160-07ea-4dbb-8794-\r\n14725ea4c8ba\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 5\n\nInstall or uninstall the service\r\nPerform keyboard  hooking\r\nLoad the Dispatcher DLL\r\nReceive commands from the criminals through the ATM keypad\r\nForward the commands to the Dispatcher through a raw socket\r\nThe Dispatcher will listen for instructions by creating a raw socket. The raw socket is not easy to discover because\r\nit is not listed in the TCP or UDP protocols that the system uses. The Dispatcher may perform the following\r\nactions:\r\nParse the received commands to make sure they are valid\r\nExecute Ploutus through command line arguments\r\nBackdoor.Ploutus.B has the same interface (the NCR.APTRA.AXFS class) and still concentrates on dispensing\r\nmoney, but there are several differences. This version has the following characteristics:\r\nIt can print the entire ATM configuration if a USB Printer is connected to the machine (the Spanish version\r\nsends this information to a log file instead)\r\nIt does not feature a graphical user interface (GUI) and instead accepts commands from the ATM keypad\r\nIt will display a window to the attacker describing the money available in the ATM and a transaction log\r\nwhile dispensing the money\r\nIt does not offer support for a keyboard to be connected to the ATM\r\nIt withdraws money from the cassette with the most available bills, but lacks the option to enter a specific\r\nbill amount\r\nFigure 2. Window showing money available in compromised ATM\r\n \r\nActions performed by Backdoor.Ploutus.B\r\nThe new version has the same functionalities as the old version:\r\nGenerates a random number and assigns it to the compromised ATM based on the current date at the time\r\nof infection\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=54602160-07ea-4dbb-8794-\r\n14725ea4c8ba\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 5\n\nSets a timer to dispense money (the malware will only dispense money in the first 24 hours after it is\r\nactivated)\r\nDispenses money from the cassette with the most available bills\r\nInteracting with Backdoor.Ploutus.B through the ATM keypad\r\nThe attackers send a 16-digits command code using the ATM keypad which is received by the NCRDRVP\r\nService:\r\n123456789ABCDEFG\r\nThe code is then forwarded to the Dispatcher through a raw socket. The Dispatcher then sends a 33-digit\r\ninstruction to Ploutus through the command line:\r\ncmd.exe /c Ploutos.exe 5449610000583686=123456789ABCDEFG\r\nIf the last 16 digits are equal to: 2836957412536985, then Ploutus will generate an ATM ID. If Ploutus generates\r\nan ATM ID, the attackers can enter the same 16 digits, but will replace the final two digits in order to perform\r\nvarious actions.\r\nIf the final two digits are 99:\r\nPloutus will be terminated\r\nIf the final two digits are 54:\r\nThe ATM ID will be activated through a code generated based on an encoded ATM ID and the current date.\r\nThis value is stored in the DATAC entry in the confg.ini file. A valid ATM activation code must be\r\nobtained in order for the ATM to dispense cash.\r\nA timer will be set to dispense the money and the value will be stored in the DATAB entry in the config.ini\r\nfile.\r\nIf the final two digits are 31:\r\nThe ATM will dispense money and print the entire ATM configuration if a USB printer is connected         \r\nDispense process compromised\r\n1. Ploutus will identify the number of dispenser devices in the ATM.\r\n2. It then obtains the number of available cassettes per dispenser and loads them. In this case, the malware\r\nassumes there is a maximum of four cassettes per dispenser since it knows the design of the ATM model.\r\n3. Next, it calculates the amount to dispense based on the bill count set as 40, which is multiplied by the cash\r\nunit value.\r\n4. It then starts the cash dispensing operation. If any of the cassettes have less than 40 units (bills) available,\r\nthen it will find the cassette with more available units and dispense all the money from that cassette only.\r\n5. It will open a panel (see Figure 2) that displays the details of the transaction as well as the remaining\r\nmoney in the ATM. It will then hide the panel.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=54602160-07ea-4dbb-8794-\r\n14725ea4c8ba\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 5\n\n6. Finally, it will repeat step four every time Ploutus is requested to dispense money.\r\nATMs spewing cash at a location near you\r\nThis discovery underlines the increasing level of cooperation between traditional physical world criminals with\r\nhackers and cybercriminals. With the ever increasing use of technology in all aspects of security, traditional\r\ncriminals are realizing that to carry out successful heists, they now require another set of skills that wasn’t\r\nrequired in the past. The modern day bank robbers now need skilled IT practitioners on their team to help them\r\ncarry out their heists. This type of thing isn’t just happening in films, it’s happening in real life, but this issue does\r\nnot directly affect ATM users. In this case, financial institutions are the targets. Symantec recommends the\r\nfollowing best practices:\r\nConfigure the BIOS boot order to only boot from Hard Disk (no CD/DVD, USB)\r\nSecure the BIOS with a password so that the attackers cannot reconfigure the boot options\r\nConsider removing hardware that allows the BIOS to read and start from boot\r\nEnsure that AV signatures and security solutions are up to date\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=54602160-07ea-4dbb-8794-14725ea4c8ba\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=54602160-07ea-4dbb-8794-\r\n14725ea4c8ba\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=54602160-07ea-4dbb-8794-14725ea4c8ba\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"report_names": [
		"viewdocument?DocumentKey=54602160-07ea-4dbb-8794-14725ea4c8ba\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"threat_actors": [],
	"ts_created_at": 1775434000,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2bd58cd9939681c4cc8f715d27b99bf276bc1ec2.pdf",
		"text": "https://archive.orkl.eu/2bd58cd9939681c4cc8f715d27b99bf276bc1ec2.txt",
		"img": "https://archive.orkl.eu/2bd58cd9939681c4cc8f715d27b99bf276bc1ec2.jpg"
	}
}