Researchers at Metabase Q have discovered a new ATM malware, dubbed FiXS, that is targeting Mexican banks. The malware is vendor-agnostic and can target any ATM that supports CEN XFS. It interacts with crooks via an external keyboard and dispenses money 30 minutes after the last ATM reboot.
The experts are yet to determine the initial attack vector, but they have noticed that FiXS is hidden inside another not-malicious-looking program and is similar to Ploutus in its use of an external keyboard.
The researchers have provided Indicators of Compromise (IoCs) to enable banks and financial institutions to detect the threat.
FiXS malware has Russian metadata, and the key changes every loop via the decode_XOR_key() function. The malware waits for cassettes to be loaded to start dispensing money and is launched via the “ShellExecute” Windows API.
The dropper stores the embedded malicious code within a folder with the hardcoded name “3582-490” and sets the name equal to the dropper one as conhost.exe. The FiXS malware dispenses money 30 minutes after the last ATM reboot by leveraging the Windows GetTickCount API.