New FiXS Malware Found Hacking ATMs in Mexico

new FiXS malware
Written by William Reddy

Metabase Q has announced the emergence of a new FiXS malware and even a whole family of similar malware targeting ATMs in Latin America.

Let me remind you that we also wrote that New Variant of SpyNote Malware Gains Popularity among Hackers after Source Code Leak, and we also wrote that Banking Trojan Ursnif Refocuses on Extortion.

The media also reported that Diebold Nixdorf discovered a new form of attacks on ATMs in Europe.

The researchers named the malware FiXS and said that it has been attacking Mexican banks since early February 2023, but can also be used to compromise any other ATMs that support CEN XFS.

The researchers write that the exact method of compromise is still unknown, but it is likely that “attackers have found a way to interact with the ATM through the touch screen.” It is also noted that ATM malware hides “inside another program that does not look like malware.”

To be more precise, the sample studied by the experts is delivered via the Neshta dropper (conhost.exe), which is written in Delphi and was first discovered back in 2003.

According to experts, FiXS is similar to another ATM malware called Ploutus, which allows criminals to extract cash from ATMs using an external keyboard or by sending SMS messages. This also suggests that attackers inject malware through physical access to ATMs.

new FiXS malware

In addition to the need for interaction through an external keyboard, FiXS can be used for any Windows-based ATMs and is not tied to a specific vendor. In fact, the malware is capable of infecting any machine that supports CEN/XFS (eXtensions for Financial Services).

One notable feature of FiXS is its ability to force an ATM to dispense money 30 minutes after the last reboot (using the Windows GetTickCount API). Metabase Q suggests that shortly after the malware is installed, the issued cash is retrieved by mules.

FiXS is implemented using the CEN XFS API, which is found in almost every Windows-based ATM (as well as other malware, such as RIPPER).the researchers note.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment