(Kaspersky) The criminals had clearly spent some time on the interface to make it look like that of a slot machine. Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN. As soon as you press the SPIN button (in our case it is greyed out because we are actually dispensing cash), the ATM starts dispensing cash from the corresponding cassette. Down from the SPIN button there is information about the cassette (bank note value and the number of bank notes in the cassette). The SCAN button rescans the ATM and updates the numbers under the SLOT button, while the STOP button stops the dispensing in progress.
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
IP:Port | Timestamp |
---|
Domain | Timestamp |
---|
URL | Timestamp |
---|
2020-04-23 by Kaspersky from Kaspersky Labs
2019-02-19 by Konstantin Zykov from Kaspersky Labs
2018-05-07 by European Association for Secure Transactions from European Association for Secure Transactions
Tool: WinPot
Names: WinPot, ATMPot
Description: (Kaspersky) The criminals had clearly spent some time on the interface to make it look like that of a slot machine. Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN. As soon as you press the SPIN button (in our case it is greyed out because we are actually dispensing cash), the ATM starts dispensing cash from the corresponding cassette. Down from the SPIN button there is information about the cassette (bank note value and the number of bank notes in the cassette). The SCAN button rescans the ATM and updates the numbers under the SLOT button, while the STOP button stops the dispensing in progress.
Category: Malware
Type: ATM malware
Information: https://securelist.com/atm-robber-winpot/89611/
Information: https://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/
Information: https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot
Last-card-change: 2022-12-28
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time. | T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time. | T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time. |