In a recent development, a new variant of the FASTCash malware has emerged, targeting Linux-based payment switches. This malware, previously known to attack Windows and AIX systems, has been linked to a series of ATM cashout schemes that have been targeting banks in Africa and Asia since at least 2016. The FASTCash malware is believed to be the creation of the Lazarus Group, a notorious North Korean state-backed hacking group also known as Hidden Cobra.
The modus operandi of the FASTCash malware involves compromising payment switch servers, which are vital components of a bank’s infrastructure that handle the processing of card transactions. These servers facilitate the flow of transaction data between acquirers, issuers, and card networks like Visa and Mastercard. By targeting these payment switch servers, the malware disrupts the entire transaction process, leaving financial institutions vulnerable to fraudulent activities.
The Linux variant of FASTCash utilizes Ubuntu Linux 22.04 (Focal Fossa) and is coded in C++. It employs AES-128 CBC encryption and a hardcoded key to protect the configuration file. Recently, a researcher known as HaxRob discovered two new samples of FASTCash for Linux switches in June 2023. These samples were compiled for Ubuntu Linux 20.04 and were likely developed after April 21, 2022. Currently, only four anti-malware engines are able to detect each sample of the malware.
HaxRob explains that the FASTCash malware resides in the userspace of an interbank switch. When a compromised card is used for a fraudulent transaction, the malware manipulates messages received from issuers to convert transaction denials into approvals. The Linux variant of FASTCash masquerades as a shared object file named “libMyFc.so” and targets ISO 8583 messages, intercepting declined transaction messages triggered by insufficient funds for a predetermined list of cardholder accounts.
Once intercepted, the malware authorizes these declined transactions for a random withdrawal amount in Turkish Lira, ranging from 12,000 to 30,000 Lira ($350 to $875). This technique closely resembles the operation of a Windows variant of FASTCash identified by the Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.
The emergence of this new Linux-based FASTCash malware underscores the evolving sophistication of North Korean cyberattacks targeting financial institutions. To mitigate the risks associated with such attacks, organizations are advised to implement robust detection capabilities, update software regularly, configure security controls, patch and update systems, strengthen network security measures, conduct routine audits, and educate their staff on phishing and social engineering risks.
It is imperative for financial institutions and other organizations to stay vigilant and proactive in safeguarding their systems against advanced cyber threats like FASTCash. By prioritizing cybersecurity measures and adopting best practices, they can minimize the risk of falling victim to malicious activities orchestrated by threat actors.