New Linux Variant of FASTCash Malware Threatens Global ATM Security

A new Linux version of the infamous FASTCash malware has surfaced in the continuing conflict between cybersecurity professionals and cybercriminals, causing concern in the financial industry. Now, North Korean state-sponsored hackers have increased the scope of their malevolent activities and are employing this most recent version to target financial institutions’ payment switch systems. In the past, FASTCash mostly targeted IBM AIX (Unix) and Windows computers. However, the recently identified variant targets Linux, more especially Ubuntu 22.04 LTS installations.

FastCash Cover

FASTCash operational overview
Source: doubleagent.net

A New Chapter in FASTCash’s Money-Stealing History

The threat posed by the FASTCash virus is not new. The North Korean hacker collective ‘Hidden Cobra,’ sometimes referred to as APT38 or Lazarus, was the first to use it at least in 2016. As early as December 2018, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning regarding FASTCash, emphasizing the malware’s capacity to plan concurrent ATM cash-out assaults across several nations. The culprits were able to steal tens of millions of dollars in a matter of hours thanks to these attacks, which were frequently carried out in concert.

The U.S. Cyber Command reissued the warning in 2020, referring to the malware’s upgraded version as “FASTCash 2.0.” By that point, the malware was linked to almost $1.3 billion in losses from banks and other financial institutions across the globe. Three North Korean hackers were indicted in 2021 for their roles in these cyber heists. The group’s attacks have persisted in spite of these attempts, and this latest Linux version demonstrates the hackers’ capacity to adapt their strategies.

Linux Variant: The Next Evolution

HaxRob, a security researcher, discovered an undiscovered Linux variant of FASTCash in June 2023. This malware targets Linux-based systems directly, which is a significant development even if it shares many operating characteristics with its predecessors. It is evident that the hackers responsible for this variant are actively modifying their tools to suit contemporary IT systems by concentrating on Ubuntu 22.04 LTS deployments.

This updated version of FASTCash is delivered as a shared library that is injected into an active process on the payment switch server of a financial institution. The malware hooks into network operations via a mechanism called ‘ptrace,’ which enables one process to monitor and control the execution of another. These tasks oversee communications between the bank’s central systems, point-of-sale (PoS) terminals, and ATMs.

The spyware alters ISO8583 messages, which are a universally accepted standard for credit and debit card transactions. Intercepting transaction messages—especially those indicating a cardholder’s inadequate funds—is its primary strategy. The malware then alters these messages to mislead the system into approving fraudulent withdrawals by substituting a “approve” response for a “decline” one.

A Highly Sophisticated Scheme

Upon returning to the bank’s central systems, the modified message includes fictitious permission codes (DE38, DE39) and an arbitrary sum of money, usually ranging from 12,000 to 30,000 Turkish Lira (about $350 to $875). Money mules, or those working for the hackers, can take out cash from ATMs all across the world thanks to these false approvals.

This variant’s capacity to avoid detection makes it especially deadly. The Linux variant had 0 detections on VirusTotal, a well-known internet malware detection service, when it was first discovered. Financial institutions found it considerably more difficult to safeguard their networks because the malware was evading detection by numerous common security technologies.

The Ongoing Threat

The Linux variant’s finding highlights the North Korean cybercriminals’ adaptability and tenacity. They have demonstrated their capacity to develop and upgrade their tools; in September 2024, rumors of a new Windows variant also surfaced. Given how quickly these variants are evolving, financial institutions everywhere must remain alert and keep improving their cybersecurity defenses.


Conclusion

The new Linux version of FASTCash was found, which serves as a frightening reminder of how versatile cybercriminals can be. To safeguard their payment switch systems, financial institutions should make investments in strong, multi-layered security solutions that monitor for anomalous activity and update software on a regular basis. Additionally, combating these cross-border cyberthreats requires international collaboration between cybersecurity and law enforcement organizations. It is crucial to keep ahead of the curve because hackers are always improving their strategies.

Read More:

Scroll to Top