Ploutus-D ATM Malware Reported in U.S.

Ploutus-D is malware used for ATM jackpotting. It was discovered in Mexico in 2013, and is now getting reported as reaching the U.S. by Krebs on Security. This attack has been analysed by FireEye in 2017, showing some of the technical details behind the ATM attack and how the offenders might take advantage of physical access to dump money from an ATM. Based on the reports, the attackers must first gain physical access to the ATM to install the malware. The first line of defense against this attack is a good physical security program to prevent unauthorized users from gaining physical access to the machine. Krebs on Security has published the Diebold Nixdorf security alert with mitigations recommended by Diebold Nixdorf. Tenable can help with detecting the malware on infected ATMs, including both currently infected ATMs and ATMs that have malware infections which were not sufficiently cleaned. Malicious Process Detection Running Plugin 59275, Malicious Process Detection detects if the malware is currently running on the system. Running Plugin 88961, Malicious File Detection against the file system detects the infection on disk. Indicators of Compromise Detection Using Indicators Of Compromise (IOCs), you can detect if...
Read more

Piriform CCleaner Remote Backdoor

CCleaner, a popular application used for performing routine maintenance on systems, was recently found to contain a malicious backdoor. This could allow a remote attacker to extract sensitive data from the host, or execute malicious code on the host. Vulnerability details A malicious modification of the 32-bit CCleaner.exe binary (CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191) contains a two-stage backdoor that allows a remote attacker to execute code on an affected system. The code modification is hidden in CCleaner’s initialization code known as CRT (Common Runtime) that is usually inserted at compilation time. The modified code performs various tasks before the application’s code is executed, including unpacking and decrypting shellcode. The code then performs the following actions: Creates the Windows registry key HKLM\SOFTWARE\Piriform\Agomo to store data about the host, including the name of the computer, a list of installed software including Windows updates, a list of running processes, the MAC addresses of the first three network adapters and additional information such as whether the process is running with administrator privileges, whether it is a 64-bit system and more. Encrypts and encodes all the collected information using base64 with a custom alphabet. Sends the encoded information via an HTTPS POST request to...
Read more