Malware "WinPot" turns ATMs into Slot Machines

by AKM

Posted on February 19, 2019 at 6:28 PM


Kaspersky back at it again xssposing major cyber criminalz!!! Ok, jokes aside, this piece of malware that has all the news outlets going bananas, dubbed "WinPot", an ATM payload that causes the machine to spew out money like a casino slot machine.

Similar to another piece of malware we covered a while back called Ploutus-D. I'm thinking everyone forgot at some point that most ATMs, especially those running in certain third world countries still run Windows XP! Yes, that's correct, your assets are super secure sitting inside some random XP box. You'd think a bank has everything covered.

So where did this malware come from? I traced it back to a forum (that's not on the darknet like how most outlets are reporting) after a simple Google search, called "club2crd". The first reference to WinPot I found on this forum dates to 8/18/2018 by a user named "Muhammad98" selling it for $1000 USD. This version of WinPot (rather old) targets Wincor ATM's specifically manufactured by Nixdorf, the same brand of ATMs that the Ploutus-D malware targets.

Another reference to WinPot (this time version 3) dates back to 12/9/2018. The user who goes by the alias "wav", who also appears to be a Senior Member (yes he's super 1337), was selling the trojan for 1 BTC (during the time, worth $6440.52 USD). I personally don't even think half of these forum'ers actually sit and think about the price of their tool, I think that "1 BTC" is usually just a random arbitrary number they throw at almost everything they're sitting on. That old CC dump? Yea that's 1 BTC. Don't take my word for it, but this piece of malware is nowhere close to six thousand dollars.

After further complicated Google search queries, I came across another strand of malware that's built off of WinPot, dubbed "Annuit Coeptis" (Illuminati reference) that does exactly what WinPot does, only priced at $500 dollars.

The person selling this version is also Muhammad98, the same person who sold the first version of WinPot. What's different? No clue. Based on the screenshot, the functionality is identical. Then after five minutes, I discovered by a forum reply stating that the program doesn't even work! It apparently crashes due to the lack of proper coding skills by its author. Below you will find a video of the WinPot malware in full use on an unsuspected ATM (video credits go to Muhammad98).

Blog Search