{
	"id": "9fb85c14-7167-4483-a425-57e3a03d59dc",
	"created_at": "2026-04-06T00:06:37.159004Z",
	"updated_at": "2026-04-10T03:20:42.497625Z",
	"deleted_at": null,
	"sha1_hash": "9a1899359afe37816c625784c7953399c70bb12c",
	"title": "New Variant of Ploutus ATM Malware Observed in the Wild in Latin America | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2057375,
	"plain_text": "New Variant of Ploutus ATM Malware Observed in the Wild in\r\nLatin America | Mandiant\r\nBy Mandiant\r\nPublished: 2017-01-11 · Archived: 2026-04-05 13:23:20 UTC\r\nWritten by: Daniel Regalado\r\nIntroduction\r\nPloutus is one of the most advanced ATM malware families we’ve seen in the last few years. Discovered for the\r\nfirst time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard\r\nattached to the machine or via SMS message, a technique that had never been seen before.\r\nFireEye Labs recently identified a previously unobserved version of Ploutus, dubbed Ploutus-D, that interacts with\r\nKAL’s Kalignite multivendor ATM platform. The samples we identified target the ATM vendor Diebold. However,\r\nminimal code change to Ploutus-D would greatly expand its ATM vendor targets since Kalignite Platform runs on\r\n40 different ATM vendors in 80 countries.\r\nOnce deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in\r\nminutes. A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a\r\nphysical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the\r\noperation) in order to dispense money from the ATM. While there are some risks of the money mule being caught\r\nby cameras, the speed in which the operation is carried out minimizes the mule’s risk.\r\nThis blog covers the changes, improvements, and Indicators of Compromise (IOC) of Ploutus-D in order to help\r\nfinancial organizations identify and defend against this threat.\r\nPreviously unobserved features of Ploutus-D\r\nIt uses the Kalignite multivendor ATM Platform.\r\nIt could run on ATMs running the Windows 10, Windows 8, Windows 7 and XP operating systems.\r\nIt is configured to control Diebold ATMs.\r\nIt has a different GUI interface.\r\nIt comes with a Launcher that attempts to identify and kill security monitoring processes to avoid detection.\r\nIt uses a stronger .NET obfuscator called Reactor.\r\nCommonality between Ploutus and Ploutus-D\r\nThe main purpose is to empty the ATM without requiring an ATM card.\r\nThe attacker must interact with the malware using an external keyboard attached to the ATM.\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 1 of 13\n\nAn activation code is generated by the attacker, which expires after 24 hours.\r\nBoth were created in .NET.\r\nCan run as Windows Service or standalone application.\r\nDissecting Ploutus-D\r\nPloutus-D (observed in the wild with the filename of “AgilisConfigurationUtility.exe”) can run as a standalone\r\napplication or as a Windows service started by a Launcher (observed in the wild as “Diebold.exe”). Although\r\nmultiple functionality is shared between the two components, the main difference is that Ploutus-D is the\r\ncomponent with the capability to dispense money.\r\nLauncher – Diebold.exe (.NET)\r\nMD5 C04A7CB926CCBF829D0A36A91EBF91BD\r\n.NET Obfuscator Reactor\r\nFile Size 198 kB\r\nFile Type Win32 EXE\r\nTime Stamp 2016:11:16 04:55:56-08:00\r\nCode Size 199168\r\nFile Version 0.0.0.1\r\nInternal Name Diebold.exe\r\nLegal Copyright Copyright © 2015\r\nOriginal Filename Diebold.exe\r\nProduct Name Diebold\r\nProduct Version 0.0.0.1\r\nTable 1: Launcher Properties\r\nThis time, the attackers put more effort into trying to obfuscate and protect their code from reverse engineering by\r\nswitching from .NET Confuser to Reactor. A quick look at how the protected code appears is shown in Figure 1.\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 2 of 13\n\nFigure 1: Code protected by Reactor\r\nInspecting the Launcher\r\nOnce the code is deobfuscated, it is easy to understand the internal workings. Before the Launcher execution\r\nstarts, it will perform an integrity check on itself to make sure it has not been altered.\r\nThe Launcher can receive different arguments in the command line to either install as a service, run Ploutus-D, or\r\nuninstall from the machine. The service properties can be seen in Figure 2.\r\nFigure 2: Service Description of the Launcher\r\nPersistence\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 3 of 13\n\nUsing a very common persistence technique, the malware will add itself to the “Userinit” registry key to allow\r\nexecution after every reboot. The key is located at:\r\n\\HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\r\nInteracting with the Launcher\r\nThe attacker must interact with the Launcher by attaching a keyboard to the ATM USB or PS/2 port. Figure 3\r\nbelow shows an example of this setup.\r\nFigure 3: Keyboard attached to the ATM port\r\nOnce the Launcher has been installed in the ATM, it will perform keyboard hooking in order to read the\r\ninstructions from the attackers via the external keyboard. A combination of “F” keys will be used to request the\r\naction to execute (see Figure 4).\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 4 of 13\n\nFigure 4: Interacting with the Launcher via keyboard\r\nThe main tasks supported are:\r\nStart programs on demand, some of which are decrypted from the resource section of the Launcher:\r\nC:\\Program Files\\Diebold\\Agilis Startup\\AgilisShellStart.exe\r\nMain.exe\r\nXFSConsole.exe\r\nKill Processes:\r\nNHOSTSVC.exe\r\nAgilisConfigurationUtility.exe\r\nXFSConsole.exe\r\nDelete Files:\r\nNetOp.LOG – Secure Remote Management solution\r\nReboot Machine:\r\n“wmic os where Primary='TRUE' reboot”\r\nAs seen in Figure 5, a request has been sent to run Ploutus-D (AgilisConfigurationUtility.exe) from command line.\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 5 of 13\n\nFigure 5: Starting Ploutus-D by the Launcher\r\nLegitimate KAL ATM software is dropped into the system along with Ploutus-D, as shown in the Figure 6. The\r\nreason for this is to make sure that all the software and versions needed to properly run the malware are present in\r\nthe same folder to avoid any dependency issues. The same technique was also used by the first version of Ploutus.\r\nFigure 6: Dropped files by the Launcher\r\nThe K3A.Platform.dll DLL will load the Kalignite Platform to allow Ploutus-D to control the ATM.\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 6 of 13\n\nThis shows that the attackers likely have access to the targeted ATM software. They can either buy physical ATMs\r\nfrom authorized resellers, which come preloaded with vendor software, or they could just steal the ATMs directly\r\nfrom the bank’s facility. An example of a real incident reported in Mexico is shown in Figure 7.\r\nFigure 7: Attackers physically stealing ATMs\r\nPloutus-D – AgilisConfigurationUtility.exe (.NET)\r\nMD5 5AF1F92832378772A7E3B07A0CAD4FC5\r\n.NET Obfuscator Reactor\r\nFile Size 274 kB\r\nFile Type Win32 EXE\r\nTime Stamp 1992:06:19 15:22:17-07:00\r\nCode Size 29696\r\nOS Version 4.0\r\nImage Version 0.0\r\nSubsystem Version 4.0\r\nTable 2: Ploutus-D Properties\r\nSimilar to the Launcher, this binary also came protected with Reactor obfuscator (see Figure 8).\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 7 of 13\n\nFigure 8: Protected with Reactor\r\nLooking at the unprotected code (see Figure 9), the connection with Ploutus became evident since the names of\r\nmost of the functions are the same as in the first version.\r\nFigure 9: Unprotected code\r\nPloutus-D will make sure a mutex with the name “KaligniteAPP” does not exist in the system in order to start\r\nrunning. Similar to the Launcher, Ploutus-D will hook the keyboard in order for the attackers to interact with it;\r\nhowever, apart from receiving commands from “F” keys, it will also read from the numeric pad (numbers).\r\nSimilar to the previous version, the GUI will be enabled by entering a combination of “F” keys. Then, a valid 8-\r\ndigit code must be entered in the GUI in order to be able to dispense money. Ploutus-D also allows the attackers to\r\nenter the amount to withdraw (billUnits – 4 digits) and the number of cycles (billCount – 2 digits) to repeat the\r\ndispensing operation (see Figure 10).\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 8 of 13\n\nFigure 10: Parsing amount and cycles\r\nThe Ploutus-D GUI is displayed in Figure 11. It is configured to list properties of 18 cassettes (C1-C18). Letter\r\n“D” shows the status of the cassette and “CV” is a value taken from the registry. The message “Estado:Activado”,\r\nwhich means “State: Activated”, is displayed if a valid code has been entered. The ATM ID and HW_ID are\r\nunique to the ATM. The amount to be retrieved is displayed as: “Cantidad: 500” (default value if no amount\r\nentered in the GUI). The total amount depends on the currency, which is also calculated by the malware.\r\nFigure 11: Ploutus-D GUI enabled\r\nAll the actions are logged into a file with the name “Log.txt”. An extract can be seen in Figure 12.\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 9 of 13\n\nFigure 12: Log File recording actions\r\nDispensing the Money\r\nIn order for the mule to be able to start dispensing money, a valid 8-digit code must be entered. This code is\r\nprovided by the boss in charge of the operation and is calculated based on a unique ID generated per ATM, and the\r\ncurrent month and day of the attack.\r\nOnce a valid activation code has been entered (which expires in 24 hours), the dispensing process will start by\r\npressing “F3” from the external keyboard.\r\nThe malware will first identify the cassette’s denomination by querying the registry denomination table from\r\nDiebold Dispenser Logical Name “DBD_AdvFuncDisp” at:\r\n\\HKLM\\SOFTWARE\\XFS\\PHYSICAL_SERVICES\\DBD_AdvFuncDisp\\Denomination Table\r\nA similar strategy will be used to get the cassette’s status and type, to make sure they are working properly, and,\r\nmore important, to identify that it has at least one bill to withdraw.\r\nPloutus-D will load “KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to\r\ninteract with the XFS Manager and control the Dispenser (see Figure 13).\r\nFigure 13: Loading Dispenser Class\r\nFigure 14 shows a graphical representation of the XFS Manager and its interaction with Kalignite Platform via\r\nKXCashDispenserLib.\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 10 of 13\n\nThe knowledge shown in the code to properly implement all the different classes and methods to control the\r\nDispenser suggests that the developers of the malware have either access to real ATMs during the development or\r\nthey hired individuals with experience coding on these machines.\r\nExpanding Ploutus to other ATM vendors\r\nKalignite Platform is said to support 40 ATM vendors. Looking at the code to dispense money, the only pieces\r\nadjusted to target Diebold are the different registry keys to read the cassette (DBD_AdvFuncDisp) parameters (see\r\nFigure 15).\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 11 of 13\n\nFigure 15: Getting Diebold Cassette parameters\r\nSince Ploutus-D interacts with the Kalignite Platform, only minor modifications to the Ploutus-D code may be\r\nrequired to target different ATM vendors worldwide.\r\nConclusion\r\nAs anticipated in our 2017 predictions report, the use of ATM malware will continue to increase, especially in\r\nunderdeveloped countries with weaker physical security controls. By leveraging the Kalignite Platform, Ploutus\r\ncan be easily modified to attack various ATM vendors and operating systems.\r\nFrequently Asked Questions\r\n1. When was Ploutus-D first discovered?\r\nPloutus-D was uploaded to VirusTotal in November 2016.\r\n2. Does Ploutus-D target cardholder information?\r\nNo. It is designed to dispense cash from within the ATM.\r\n3. Is Ploutus-D already affecting ATMs in the wild?\r\nYes. It has been observed in Latin America.\r\n4. What type of ATMs are affected?\r\nPloutus-D affects Diebold ATMs.\r\nMinor modifications could be made to Ploutus-D to affect other vendors using the Kalignite\r\nPlatform.\r\n5. How is Ploutus-D installed on the ATM?\r\nThrough physical access to the ATM.\r\n6. How do attackers interact with Ploutus-D?\r\nVia an external keyboard that needs to be connected to the ATM.\r\nIOCs\r\nFileSystem:\r\n[D-Z]:\\Data\\P.bin\r\nC:\\Diebold\\EDC\\edclocal.dat\r\nThe following files should be found at the same place where the service Diebold.exe is located:\r\nLog.txt\r\nLog2.txt\r\nP.bin – Mac address of the system, plus string: “PLOUTUS-MADE-IN-LATIN-AMERICA-XD”\r\nPDLL.bin – Encoded version of P.bin\r\nMutex names:\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 12 of 13\n\nPloutos\r\nDIEBOLDPL\r\nKaligniteAPP\r\nServices:\r\nService Name: DIEBOLDP\r\nRegistry:\r\n\\\\HKLM\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\Userinit=”Diebold.exe,%system32%/userinit.exe”\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html"
	],
	"report_names": [
		"new_ploutus_variant.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a1899359afe37816c625784c7953399c70bb12c.pdf",
		"text": "https://archive.orkl.eu/9a1899359afe37816c625784c7953399c70bb12c.txt",
		"img": "https://archive.orkl.eu/9a1899359afe37816c625784c7953399c70bb12c.jpg"
	}
}