North Korean threat actors have been identified as utilizing a Linux variant of the FASTCash malware family in a financially motivated cyber campaign, according to recent reports. The FASTCash malware, initially brought to light by the US government in October 2018, was first observed in an ATM scheme orchestrated by North Korean adversaries to target banks in Africa and Asia.
Since its initial discovery, the campaign has evolved in significant ways. One notable development is its newfound ability to target banks with switch applications hosted on Windows Server, expanding its reach to interbank payment processors. While previous iterations of the malware primarily targeted systems operating on Microsoft Windows and IBM AIX, recent findings indicate a shift towards infiltrating Linux systems.
The operation of the FASTCash malware involves the modification of ISO 8583 transaction messages involved in debit and credit card transactions. By tampering with these messages, unauthorized withdrawals can be initiated, including the manipulation of declined transactions due to insufficient funds to approve and withdraw money in Turkish currency ranging from 12,000 to 30,000 lira ($350 to $875).
Researchers investigating the malware emphasize the importance of detection strategies to identify the use of specific techniques, such as process injection, which is employed to intercept transaction messages. Commercial endpoint detection and response systems, as well as open-source Linux agents, can be configured to detect the utilization of the ptrace system call associated with these activities.
In response to the growing threat posed by FASTCash and similar attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has issued recommendations to enhance security measures. These recommendations include implementing chip and PIN requirements for debit cards, mandating and verifying message authentication codes for financial request response messages, and conducting authorization response cryptogram validation for chip and PIN transactions to mitigate exploitation attempts.
As cyber threats continue to evolve and become more sophisticated, organizations and financial institutions must remain vigilant in implementing robust security measures to protect against malicious actors. The utilization of advanced malware like FASTCash underscores the importance of proactive cybersecurity measures and ongoing vigilance in safeguarding sensitive financial information and transactions.