{
	"id": "9adfdb28-a062-4dd6-b410-13c3d2d59dc3",
	"created_at": "2026-04-06T00:15:06.73515Z",
	"updated_at": "2026-04-10T03:21:20.393234Z",
	"deleted_at": null,
	"sha1_hash": "c5c0f87dfc81d07c055ca4d2e7576d23f78955d2",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 367714,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 15:44:22 UTC\r\nContributor: Val S\r\nIt’s well-known that organized crime in Mexico is always finding new ways to steal money from people.\r\n Automatic teller machines (ATMs) are one of the common targets in this effort, but the challenge there is actually\r\ngetting the money out of the machine. The three most common ways to accomplish this are:\r\n1. Kidnapping: Criminals kidnap a person for as long as it takes to withdraw all the money from their\r\naccount. The time depends on the money available in the account since normally there is a limit on the\r\namount allowed to be dispensed per day.\r\n2. Physically stealing the ATM: Criminals remove the ATM and take it to a location where they can go to\r\nwork accessing the cash inside. In this scenario, the loss of cash is only one consequence as the criminals\r\nwould also gain access to the software running on the ATM, which could be reverse-engineered in order to\r\nprepare an attack against all ATMs running the same software.\r\n3. ATM Skimming: Devices are placed over the card reader in order to steal personally identifiable\r\ninformation (PII) data like PIN numbers. Fake number pad overlays can also be used to record which\r\nbuttons are pressed.\r\nWhile the above scenarios all rely on external factors to succeed, criminals would like nothing more than a way\r\nfor them to make an ATM spew out all its cash just by pressing some buttons (similar to the demo presented by the\r\nlate Barnaby Jack at 2010’s BlackHat conference). Unfortunately for banks, it seems as though the bad guys’\r\ndreams may have come true. In parallel investigations with other AV firms, Symantec identified this sample on\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=4274cb7f-d65d-4928-bdf4-\r\n0275eedc80d2\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 5\n\nAugust 31, 2013 and a detection has been in place since September 4, 2013. We detect this sample as\r\nBackdoor.Ploutus.  \r\nInfection methodology\r\nAccording to external sources, the malware is transferred to the ATM by physically inserting a new boot disk into\r\nthe CD-ROM drive. The boot disk then transfers malware.\r\nImpact\r\nThe criminals created an interface to interact with the ATM software on a compromised ATM, and are therefore\r\nable to withdraw all the available money from the containers holding the cash, also known as cassettes.\r\nOne interesting part to note is that the criminals are also able to read all the information typed by cardholders\r\nthrough the ATM keypad, enabling them to steal the sensitive information without using any external device.\r\nAlthough no confirmation has been received from other countries being affected by this threat, banks in other\r\ncountries using the same ATM software could be at risk.\r\nTechnical characteristics of Backdoor.Ploutus\r\n1. It runs as a Windows service named NCRDRVPS\r\n2. The criminals created an interface to interact with ATM software on a compromised ATM through the\r\nNCR.APTRA.AXFS class \r\n3. Its binary name is PloutusService.exe\r\n4. It was developed with .NET technology and obfuscated with the software Confuser 1.9\r\n5. It creates a hidden window that can be enabled by the criminals to interact with the ATM\r\n6. It interprets specific key combinations, entered by criminals, as commands that can be received either by\r\nan external keyboard (that must be connected to the ATM) or directly from the keypad\r\nActions performed by Backdoor.Ploutus\r\n1. Generate ATM ID: Randomly generated number assigned to the compromised ATM, based on current day\r\nand month at the time of infection.\r\n2. Activate ATM ID: Sets a timer to dispense money. The malware will dispense money only within the first\r\n24 hours after it was activated.\r\n3. Dispense cash: Dispense money based on the amount requested by the criminals.\r\n4. Restart (Service): Reset the dispense time period.\r\nThe list of commands mentioned above must be executed in order, since it must use a non-expired activated ATM\r\nID to dispense the cash.\r\nThe source code contains Spanish function names and poor English grammar that suggests the malware may have\r\nbeen coded by Spanish speaking developers.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=4274cb7f-d65d-4928-bdf4-\r\n0275eedc80d2\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 5\n\nInteracting with Backdoor.Ploutus through the keypad\r\nAs noted previously, this type of interaction does not require an additional keyboard to be connected.\r\nThe following command codes, entered using the ATM keypad, and their purpose are as follows:\r\n12340000: To test if the keyboard is receiving commands.\r\n12343570: Generate ATM ID, which is stored in the DATAA entry in the config.ini file.\r\n12343571XXXXXXXX: Has two actions:\r\n1. Activate ATM ID by generating an activation code based on an encoded ATM ID and the current date. This\r\nvalue is stored in the DATAC entry in the config.ini file. The eight bytes read in must be a valid encoded\r\nATM ID generated by a function called CrypTrack(). A valid ATM activation code must be obtained in\r\norder for the ATM to dispense cash.\r\n2. Generate timespan: Sets a timer to dispense money, the value will be stored in the DATAB entry in the\r\nconfig.ini file.\r\n12343572XX: Commands the ATM to dispense money. The removed digits represent the number of bills to\r\ndispense.   \r\nInteracting with Backdoor.Ploutus through a GUI\r\nThis method requires the use of an external keyboard.\r\nF8 = If the Trojan window is hidden then this will display it in the main screen of the ATM, enabling criminals to\r\nsend commands.\r\nAfter the Trojan window is displayed, the following key commands can be issued by pressing the appropriate key\r\non the keyboard:\r\nF1 = Generate ATM ID\r\nF2 = Activate ATM ID\r\nF3 = Dispense\r\nF4 = Disable Trojan Window\r\nF5 = KeyControlUp\r\nF6 = KeyControlDown\r\nF7 = KeyControlNext\r\nF8 = KeyControlBack\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=4274cb7f-d65d-4928-bdf4-\r\n0275eedc80d2\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 5\n\nFigure. Trojan key commands\r\nDispense process compromised\r\nIt is clear that the criminals have reverse engineered the ATM software and came up with an interface to interact\r\nwith it, and, although we are not ATM architects, based on the code we have reviewed we can infer that\r\nBackdoor.Ploutus has the following functionalities:\r\n1. It will identify the dispenser device in the ATM.\r\n2. It then gets the number of cassettes per dispenser and loads them. In this case the malware assumes there is\r\na maximum of four cassettes per dispenser since it knows the design of the ATM model .\r\n3. Next, it calculates the amount to dispense based on the bill count provided, which is multiplied by the cash\r\nunit value.\r\n4. It then starts the cash dispensing operation. If any of the cassettes have less than 40 units (bills) available,\r\nthen, instead of dispensing the amount requested, it will dispense all the remaining money available in that\r\ncassette.\r\n5. Finally, it will repeat step four for all remaining cassettes until all the money is withdrawn from the ATM.\r\nATMs could be spewing cash at a location near you…\r\nWhat this discovery underlines is the increasing level of cooperation between traditional physical world criminals\r\nwith hackers and cybercriminals. With the ever increasing use of technology in all aspects of security, traditional\r\ncriminals are realizing that to carry out successful heists, they now require another set of skills that wasn’t\r\nrequired in the past. The modern day bank robbers now need skilled IT practitioners on their team to help them\r\ncarry out their heists. This type of thing isn’t just happening in films, it’s happening in real life, possibly at a bank\r\nmachine near you.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=4274cb7f-d65d-4928-bdf4-\r\n0275eedc80d2\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 5\n\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=4274cb7f-d65d-4928-bdf4-0275eedc80d2\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=4274cb7f-d65d-4928-bdf4-\r\n0275eedc80d2\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=4274cb7f-d65d-4928-bdf4-0275eedc80d2\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"report_names": [
		"viewdocument?DocumentKey=4274cb7f-d65d-4928-bdf4-0275eedc80d2\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"threat_actors": [],
	"ts_created_at": 1775434506,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5c0f87dfc81d07c055ca4d2e7576d23f78955d2.pdf",
		"text": "https://archive.orkl.eu/c5c0f87dfc81d07c055ca4d2e7576d23f78955d2.txt",
		"img": "https://archive.orkl.eu/c5c0f87dfc81d07c055ca4d2e7576d23f78955d2.jpg"
	}
}