Since the beginning of February 2023, Mexican banks have been the target of a new ATM malware outbreak known as FiXS. In addition to requiring input through an external keyboard, the Windows-based ATM malware is vendor-agnostic and susceptible to infecting any teller machine that allows CEN/XFS (short form of extensions for Financial Services).
“The ATM malware is hidden inside another not-malicious-looking program,” Latin American cybersecurity firm Metabase Q said in a report.
Although the precise method of penetration is not known yet, Dan Regalado of Metabase Q stated that it’s possible that attackers were able to access the touchscreen on the ATM. Another ATM malware outbreak known as Ploutus, which has allowed hackers to steal money from ATMs by employing an external keyboard or by sending an SMS message, is claimed to be comparable to FiXS.
FiXS’s use of the Windows GetTickCount API allows it to disburse cash 30 minutes after the last ATM reboot, which is one of its outstanding features. The sample evaluated by Metabase Q for analysis is supplied via a dropper known as Neshta (conhost.exe), a virus that infects files and was first discovered in 2003.
“FiXS is implemented with the CEN XFS APIs which helps to run mostly on every Windows-based ATM with little adjustments, similar to other malware like RIPPER,” said the cybersecurity company. “The way FiXS interacts with the criminal is via an external keyboard.”
With this advancement, FiXS joins a lengthy list of malware that has targeted ATMs to steal money, including Ploutus, SUCEFUL, Prilex, GreenDispenser, ATMitch, RIPPER, Skimer, Alice, and ATMii. Since then, Prilex has also developed into a modular point-of-sale (PoS) malware that may commit credit card theft in a number of ways, including by preventing contactless payment transactions.
In a thorough report on ATM malware released in September 2017, Trend Micro stated that cybercriminals who infiltrate networks have the same aim as those who carry out cyberattacks via physical access: distributing cash. The hackers would no longer need to visit the ATMs in order to manually install malware using a USB or CD. They had standby money mules that would take the money and flee.