WinPot

WinPot, ATMPot
(Type: ATM malware)

(Kaspersky) The criminals had clearly spent some time on the interface to make it look like that of a slot machine. Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN. As soon as you press the SPIN button (in our case it is greyed out because we are actually dispensing cash), the ATM starts dispensing cash from the corresponding cassette. Down from the SPIN button there is information about the cassette (bank note value and the number of bank notes in the cassette). The SCAN button rescans the ATM and updates the numbers under the SLOT button, while the STOP button stops the dispensing in progress.

[News Analysis] Trends:

Total Trend: 3

Trend Per Year
1
2018
1
2019
1
2020


Trend Per Month
1
May 2018
1
Feb 2019
1
Apr 2020



[News Analysis] News Mention Another Threat Name:

1 - ATMitch1 - WinPot


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
1/36
persistence
1/113
privilege escalation
1/96
defense evasion
0/184
credential access
0/63
discovery
0/44
lateral movement
0/22
collection
0/37
command and control
0/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Article (Credit @Malpedia)

A look at the ATM/PoS malware landscape from 2017-2019

2020-04-23 by Kaspersky from Kaspersky Labs

ATM robber WinPot: a slot machine instead of cutlets

2019-02-19 by Konstantin Zykov from Kaspersky Labs

EAST Publishes European Fraud Update 2-2018

2018-05-07 by European Association for Secure Transactions from European Association for Secure Transactions

Basic Information (Credit @etda.or.th)

Tool: WinPot

Names: WinPot, ATMPot

Description: (Kaspersky) The criminals had clearly spent some time on the interface to make it look like that of a slot machine. Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN. As soon as you press the SPIN button (in our case it is greyed out because we are actually dispensing cash), the ATM starts dispensing cash from the corresponding cassette. Down from the SPIN button there is information about the cassette (bank note value and the number of bank notes in the cassette). The SCAN button rescans the ATM and updates the numbers under the SLOT button, while the STOP button stops the dispensing in progress.

Category: Malware

Type: ATM malware

Information: https://securelist.com/atm-robber-winpot/89611/

Information: https://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/

Information: https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot

Last-card-change: 2022-12-28

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.