Threat Watch

WinPot Malware Now Using Slot Machine Interface

WinPot was first discovered in March of 2018 and was created to compromise ATM’s and empty them of all their cash. The criminal engineers behind the creation of WinPot have crafted an interface that mimics a slot machine. Visuals indicators of the ATM’s cassettes were included on the interface. Each cassette has a reel of its own numbered 1 to 4, where 4 is the maximum number of cash-out cassettes in an ATM. Each cassette also has buttons labeled SPIN, SCAN, SLOT, and STOP. Once victims press the SPIN button, the ATM starts dispensing cash from the respective cassette. The SCAN button rescans the ATM and updates the numbers under the SLOT button. Pressing the STOP button stops dispensing cash from the machine. Researchers discovered other samples with modifications while observing WinPot.

ANALYST NOTES

ATM’s should be running control and process whitelisting software, these will stop the implementation of the malware and prevent the execution of any unwanted software that makes it onto the system.