Security researchers at Latin American cybersecurity firm Metabase Q have discovered a new malware strain dubbed "FiXS" that has been used in ATM jackpotting attacks in Mexico since the start of February 2023.

The researchers said they have not identified initial infection vector as of yet.

“However, since FiXS utilizes an external keyboard (similar to Ploutus), we anticipate that it follows a similar methodology. In the case of Ploutus, a person with access to these teller machines physically connects an external keyboard to to the ATM for the attack to commence,” Metabase Q noted in its technical report.

FiXS is a vendor-agnostic malware that targets any ATM that supports CEN XFS, a suite of protocols and APIs supported by the banking industry. The malware is hidden within innocuous looking software and interacts with its operators via external keyboard. One of the notable features of FiXS is its ability to dispense money 30 minutes after the last ATM reboot by using the Windows GetTickCount API.

“This means that whoever restarted the ATM last time, and probably the one who installed the malware (a maintenance engineer, a consultant, etc.), the mule will arrive soon after. In the next figure, the 30 minutes validation can be seen via GetTickCount API, and then the Dispenser is commanded to spit out money via command id 302 equal to WFS_CMD_CDM_DISPENSE.”

Metabase Q has shared Indicators of Compromise (IoCs) to help cybersecurity teams at banks and financial institutions identify the threat.