New Linux variant of FASTCash malware can steal money from ATMs

North Korean hackers are using a new Linux variant of the FASTCash malware to infect financial institutions’ payment systems and carry out unauthorized cash withdrawals.

Previous FASTCash variants targeted Windows and IBM AIX (Unix) systems, but a new report from security researcher HaxRob reveals a previously undetected Linux version that targets Ubuntu 22.04 LTS distributions.

Money theft story

CISA first warned about the FASTCash ATM cash withdrawal scheme in December 2018, attributing the activity to the North Korean state-backed hacking group known as “Hidden Cobra.” .

According to the agency’s investigations, bad actors have used FASTCash in their operations since at least 2016, stealing tens of millions of dollars per incident in simultaneous ATM withdrawal attacks in 30 or more countries.

In 2020, US Cyber ​​Command once again highlighted the threat, linking the resumption of FASTCash 2.0 activity to APT38 (Lazarus).

A year later, indictments were announced against three North Koreans allegedly involved in the schemes, responsible for stealing more than $1.3 billion from financial institutions around the world.

Cash out from Linux

The most recent variant spotted by HaxRob was first submitted to VirusTotal in June 2023 and has many operational similarities to previous Windows and AIX variants.

It comes in the form of a shared library that is injected into a process running on a payment switching server using the “ptrace” system call, hooking it to network functions.

These switches are intermediaries that manage communication between ATMs/PoS terminals and the bank’s core systems, routing transaction requests and responses.

The malware intercepts and manipulates ISO8583 transaction messages used in the financial industry for processing debit and credit cards.

Specifically, the malware targets messages regarding transaction declines due to insufficient funds in the cardholder’s account and replaces the response “deny” with “approve.”

The manipulated message also contains a random amount of money between 12,000 and 30,000 Turkish liras ($350 to $875) to authorize the requested transaction.

Once the manipulated message is sent back to the bank’s central systems containing the approval codes (DE38, DE39) and the amount (DE54), the bank approves the transaction and a mule acting on behalf of the hackers removes the money from an ATM. .

At the time of its discovery, the Linux variant of FASTCash had no detection on VirusTotal, meaning it could evade most standard security tools, allowing malicious actors to transact undeterred .

HaxRob also reports that a new version of Windows was submitted to VT in September 2024, indicating that the hackers are actively working on evolving all elements of their toolset.