Threat Research

FiXS the new ATM Malware in LATAM – Metabase Q

Securonix

A new ATM malware variant named FiXS has been identified by Metabase Q, targeting Mexican banks and other LATAM institutions by leveraging a vendor-agnostic approach to ATM XFS middleware and an external keyboard for its criminal operators. The malware uses a dropper, XOR encoding, and Russian metadata, and is designed to run on Windows ATMs via the ShellExecute API while hiding inside a harmless-looking program. #FiXS #MetabaseQ #ItauTec #XFS #ATM #Ripper #Ploutus

Keypoints

  • FiXS is a newly identified ATM malware affecting Mexican banks and LATAM regions, leveraging XFS-capable ATMs.
  • It uses an external keyboard for operator interaction, including a keystroke-hooking mechanism to communicate with criminals.
  • The dropper stores the embedded FiXS payload in the system TEMP directory under a folder named “3582-490” and renames the dropper to conhost.exe.
  • Encoded payloads are XOR-encrypted with a dynamic key updated in every loop, indicating obfuscation (T1027-like behavior).
  • The malware is designed to be vendor-agnostic, targeting any dispenser via CEN XFS, by enumerating devices through registry checks.
  • The interaction with the dispenser and money dispensing is triggered after a 30-minute uptime window and through direct WFS API calls, controlled by the operator via external keyboard.

MITRE Techniques

  • [T1012] Query Registry – Interacts with Windows registry to identify the dispenser without choosing a particular one. “interacting in the registry key to list the logical name of the dispenser without picking a particular one”
  • [T1120] Peripheral Device Discovery – Vendor-agnostic targeting of any ATM that supports CEN XFS, enabling discovery of compatible peripherals. “…vendor-agnostic targeting any ATM that supports CEN XFS.”
  • [T1056.001] Keyboard Input Capture – Uses hooking mechanisms to intercept keystrokes from the external keypad to communicate with criminals. “…hooking mechanisms intercepting the keystrokes.”
  • [T1027.001] Obfuscated/Compressed Files and Information – Embedded payload encoded with XOR, with a changing key per loop. “encoded with XOR instruction where the key is changed in every loop via decode_XOR_key() function”
  • [T1106] Native API – Launches FiXS via the ShellExecute Windows API. “FiXS ATM Malware is launched via “ShellExecute” Windows API.”
  • [T1036] Masquerading – Hides the malware inside a non-malicious-looking program. “It is hidden inside another not-malicious-looking program”

Indicators of Compromise

  • [File Hash] – 8e41f365cde91e8f74d6d7ea1cdbd1d9, 8c9f2298275fd486a40b8811436a3a04
  • [Filename] – conhost.exe, FiXS.exe

Read more: https://www.metabaseq.com/fixs-atms-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint