Metabase Q has announced the emergence of a new FiXS malware and even a whole family of similar malware targeting ATMs in Latin America.
Let me remind you that we also wrote that New Variant of SpyNote Malware Gains Popularity among Hackers after Source Code Leak, and we also wrote that Banking Trojan Ursnif Refocuses on Extortion.
The media also reported that Diebold Nixdorf discovered a new form of attacks on ATMs in Europe.
The researchers named the malware FiXS and said that it has been attacking Mexican banks since early February 2023, but can also be used to compromise any other ATMs that support CEN XFS.
The researchers write that the exact method of compromise is still unknown, but it is likely that “attackers have found a way to interact with the ATM through the touch screen.” It is also noted that ATM malware hides “inside another program that does not look like malware.”
To be more precise, the sample studied by the experts is delivered via the Neshta dropper (conhost.exe), which is written in Delphi and was first discovered back in 2003.
According to experts, FiXS is similar to another ATM malware called Ploutus, which allows criminals to extract cash from ATMs using an external keyboard or by sending SMS messages. This also suggests that attackers inject malware through physical access to ATMs.
In addition to the need for interaction through an external keyboard, FiXS can be used for any Windows-based ATMs and is not tied to a specific vendor. In fact, the malware is capable of infecting any machine that supports CEN/XFS (eXtensions for Financial Services).
One notable feature of FiXS is its ability to force an ATM to dispense money 30 minutes after the last reboot (using the Windows GetTickCount API). Metabase Q suggests that shortly after the malware is installed, the issued cash is retrieved by mules.
