ATM-jackpotting WinPot malware now features a slot machine interface

• WinPot, also known as ATMPot, is designed to compromise the ATMs and force these machines to empty their cassettes of all funds.
• WinPot is an ATM malware which uses a slot machine interface to steal funds by compromising ATMs.

Researchers analyzed a new malware sample dubbed WinPot which first appeared in underground forums in March 2018. WinPot is an ATM malware which uses a slot machine interface to steal funds from ATMs. WinPot, also known as ATMPot, is designed to compromise the ATMs and force these machines to empty their cassettes of all funds.

Slot machine interface

The cybercriminals behind the WinPot malware have worked hard on the interface to make it look like that of a slot machine which is likely a reference to the popular term ATM-jackpotting.

The WinPot interface includes a visual indicator of an ATM’s cassettes.

• Each cassette has a reel of its own numbered 1 to 4, where 4 is the maximum number of cash-out cassettes in an ATM.
• Each cassette also has buttons labeled SPIN, SCAN, SLOT, and STOP.
• Once victims press the SPIN button, the ATM starts dispensing cash from the respective cassette.
• The SCAN button rescans the ATM and updates the numbers under the SLOT button.
• Pressing the STOP button stops dispensing cash from the machine.

Modifications made to WinPot

While researchers from Kaspersky Lab were analyzing the WinPot sample, they observed more new samples with modifications.

A seller of the malware has recently offered WinPot v.3 which includes a revamped interface and a currently unidentified program called ‘ShowMeMoney’ similar to the slot machine interface. The mechanism looks similar to Cutlet Maker malware.

WinPot authors make modifications to the malware for the following reasons,

• New samples with new modifications are made to WinPot in order to trick the ATM security systems.
• Modifications are made to the malware to detect new methods to keep the money mules from abusing WinPot.
• Modifications are made to overcome potential ATM limitations and to improve the interface and error-handling routines.

“We thus expect to see more modifications of the existing ATM malware. The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent the execution of unauthorized software on it,” researchers wrote in a blog.