FiXS ATM Malware Download

A newly identified malware, code-named "FiXS," has begun affecting ATMs across Mexican banks. The malware's name comes from an identifier found within its binary code. FiXS appears to operate similarly to the infamous Ploutus malware, utilizing an external keyboard connection to control the ATM. This suggests that attackers may need physical access to the ATM, where they connect an external device to initiate the attack. While the precise method of initial infection is unclear, FiXS shows distinct characteristics that enhance its effectiveness and adaptability:

1. Delayed Cash Dispensing: FiXS is programmed to dispense cash roughly 30 minutes after the ATM’s last reboot, creating a timed, delayed-action attack.
2. Disguised as Harmless Software: The malware is embedded within an unassuming program to avoid immediate detection.
3. Cross-Vendor Compatibility: Designed to work on a wide range of ATMs that support the CEN/XFS standard, FiXS can affect multiple ATM brands.
4. External Keyboard Interaction: Attackers interact with the malware through an external keyboard, a method that bypasses complex networking or remote access requirements.
5. Conditional Activation: FiXS begins dispensing cash only after the cash cassettes are fully loaded, ensuring maximum payout.
6. Presence of Russian Metadata: The malware contains metadata in Russian, possibly hinting at its origin or creator’s background.

FiXS relies on CEN/XFS APIs, which allow it to run on most Windows-based ATMs with minimal modification—similar to other ATM-targeting malware like Ripper ATM Malware. The malware continuously monitors for specific keystrokes, which criminals use to control its functions through an external keyboard. Each keystroke triggers particular actions:

1. M: Show or hide the interface.
2. A: Display cash unit information.
3. C: Close the dispenser session and terminate the malware process.
4. B: Dispense cash from the ATM.
5. J/P: Reserved for undefined or unvalidated actions.

To activate the interface, the attacker presses "M," followed by "A" to display information about the cash units. FiXS has a basic, no-frills interface that contrasts with more elaborate interfaces seen in malware like Ploutus or Padpin. Instead, FiXS shows only essential data, such as the number of bills in each cassette, the recycle bin, and the reject bin.

FiXS is a troubling development in ATM malware due to its broad compatibility and reliance on simple, physical interaction. The malware highlights the critical need for ATM security enhancements that address both physical and software vulnerabilities.

FiXS ATM Malware Sample 1 Signatures

Family: Win32:FIXS-A [ATM]
MD5: 8c9f2298275fd486a40b8811436a3a04
SHA256: 6128e9c96e30986941d9f8c15efe2020363385d1ee44dad513f9804fb2ee25bb

FiXS ATM Malware Sample 1 Download

FiXS ATM Malware Sample 2 Signatures

Family: Virus:Win32/Neshta.A
MD5: 8e41f365cde91e8f74d6d7ea1cdbd1d9
SHA256: d3c40be552819f57dc51c5a18b8a5b0595e47dd73b09d5bf4c0a2083bd1243c3

FiXS ATM Malware Sample 2 Download