Threat Database Malware FASTCash Linux Malware

FASTCash Linux Malware

North Korean threat actors have developed a previously unknown Linux variant of the FASTCash malware, which they are deploying to compromise the payment switch systems of financial institutions, facilitating illicit cash withdrawals.

Earlier versions of FASTCash were known to target Windows and IBM AIX (Unix) systems. However, according to a recent report by security researcher HaxRob, a newly uncovered Linux variant is now targeting Ubuntu 22.04 LTS distributions, marking the first detection of this version.

The FASTCash Malware Has been Targeting ATMs for Years

In December 2018, CISA (Cybersecurity and Infrastructure Security Agency) issued its first warning about the FASTCash ATM cash-out scheme, attributing the activity to the North Korean state-sponsored hacking group called 'Hidden Cobra.' Investigations by the agency revealed that the attackers had been using FASTCash since at least 2016, orchestrating simultaneous ATM withdrawal attacks in over 30 countries, stealing tens of millions of dollars per operation.

In 2020, the U.S. Cyber Command raised alarms again, linking renewed the FASTCash 2.0 activity to APT38 (Lazarus). By 2021, indictments were announced for three North Korean individuals accused of stealing more than $1.3 billion from financial institutions globally.

A New Variant Spotted by Researchers

The latest variant of FASTCash, uncovered in June 2023, shares many operational characteristics with its predecessors targeting Windows and AIX systems. This version appears as a shared library that is injected into a running process on a payment switch server, using the 'ptrace' system call to hook into network functions.

Payment switches act as intermediaries, facilitating communication between ATMs or PoS terminals and a bank's central systems by routing transaction requests and responses. The malware exploits these switches by intercepting and manipulating ISO8583 transaction messages, which are essential for debit and credit card processing in the financial industry.

The malware specifically targets messages that would normally decline transactions due to insufficient funds in a cardholder's account. It modifies these messages, replacing the 'decline' response with an 'approve' response.

In addition, the altered messages authorize a random withdrawal amount between 12,000 and 30,000 Turkish Lira ($350 - $875). Once the manipulated message is sent back to the bank's central systems, including approval codes (DE38, DE39) and the authorized amount (DE54), the bank approves the transaction. A money mule working on behalf of the attackers then withdraws the cash from an ATM.

Since its discovery, this Linux variant is believed to bypass most standard security tools, allowing attackers to carry out fraudulent transactions without detection. Cybersecurity experts have also found signs suggesting that the hackers are continuously refining their toolset, with evidence of a new Windows version of FASTCash emerging in September 2024.

Trending

Most Viewed

Loading...