Researchers analyzed a new malware sample dubbed WinPot which first appeared in underground forums in March 2018. WinPot is an ATM malware which uses a slot machine interface to steal funds from ATMs. WinPot, also known as ATMPot, is designed to compromise the ATMs and force these machines to empty their cassettes of all funds.
Slot machine interface
The cybercriminals behind the WinPot malware have worked hard on the interface to make it look like that of a slot machine which is likely a reference to the popular term ATM-jackpotting.
The WinPot interface includes a visual indicator of an ATM’s cassettes.
Modifications made to WinPot
While researchers from Kaspersky Lab were analyzing the WinPot sample, they observed more new samples with modifications.
A seller of the malware has recently offered WinPot v.3 which includes a revamped interface and a currently unidentified program called ‘ShowMeMoney’ similar to the slot machine interface. The mechanism looks similar to Cutlet Maker malware.
WinPot authors make modifications to the malware for the following reasons,
“We thus expect to see more modifications of the existing ATM malware. The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent the execution of unauthorized software on it,” researchers wrote in a blog.