HQ/EMEAFind out how we can help your business
The new FASTCash malware has a new variant for Linux that helps North Korean hackers breach ATMs and execute unauthorised money withdrawals.
According to reports, previous malware versions could only target IBM and Windows computers, but a new variant has emerged that can target the Ubuntu 22.04 LTS distributions.
This malware already caused problems in 2018 after the North Korean hacking group Hidden Cobra used it in an ATM cash-out operation. However, the researchers claimed that these threat actors have been exploiting FASTCash in operations since at least 2016, stealing millions of dollars per incident in simultaneous ATM withdrawal attacks in at least 30 countries.
The notorious Lazarus APT group has also used FASTCash briefly in one of their campaigns. In addition, three North Koreans were indicted for allegedly participating in these schemes, which resulted in the loss of more than $1.3 billion from financial institutions globally.
The Linux-based version of the new FASTCash malware strain poses as a shared library.
According to investigations, the new FASTCash malware variant consists of a shared library injected into a running process on a payment switch server via the ‘ptrace’ system call, allowing it to access network services.
These switches mediate between ATM/PoS terminals and the bank’s central systems, forwarding transaction requests and responses. The malware then intercepts and manipulates ISO8583 transaction communications used in the financial industry to handle debit and credit cards.
The malware prioritises targeting messages about transaction rejects due to insufficient funds in the cardholder’s account and replaces the “decline” response with “approve.” The altered message also includes a random sum ranging from $350 to $875 to authorise the requested transaction.
When the altered message is returned to the bank’s central systems with the permission codes (DE38, DE39) and the amount (DE54), the bank accepts the transaction, and a money mule acting on behalf of the hackers withdraws the cash from an ATM.
The Linux variant of FASTCash still has zero detections on VirusTotal, implying that it can bypass most commonly employed security tools. Hence, this malware’s stealthiness can allow threat actors to conduct unauthorised transactions without raising suspicions.
