North Korean hackers are utilizing a brand new Linux variant of the FASTCash malware to contaminate the fee change techniques of monetary establishments and carry out unauthorized money withdrawals.
Earlier variants of FASTCash focused Home windows and IBM AIX (Unix) techniques, however a brand new report by safety researcher HaxRob reveals a beforehand undetected Linux model that targets Ubuntu 22.04 LTS distributions.
Cash-stealing historical past
CISA first warned in regards to the FASTCash ATM cash-out scheme in December 2018, attributing the exercise to the state-backed North Korean hacking group referred to as ‘Hidden Cobra.’
In line with the company’s investigations, the risk actors have been utilizing FASTCash in operations since a minimum of 2016, stealing tens of tens of millions of {dollars} per incident in simultaneous ATM withdrawal assaults in 30 international locations or extra.
In 2020, the U.S. Cyber Command highlighted the risk as soon as once more, linking the revived FASTCash 2.0 exercise to APT38 (Lazarus).
A yr later, indictments have been introduced for 3 North Koreans allegedly concerned in these schemes, accountable for the theft of over $1.3 billion from monetary institutes worldwide.
Cashing out from Linux
The latest variant noticed by HaxRob was first submitted to VirusTotal in June 2023 and options intensive operational similarities to earlier Home windows and AIX variants.
It comes within the type of a shared library that’s injected right into a operating course of on a fee change server with the assistance of the ‘ptrace’ system name, hooking it into community capabilities.
These switches are intermediaries dealing with the communication between ATMs/PoS terminals and the financial institution’s central techniques, routing transaction requests and responses.
The malware intercepts and manipulates ISO8583 transaction messages used within the monetary trade for debit and bank card processing.
Particularly, the malware targets messages that concern declines of the transactions resulting from inadequate funds within the cardholder’s account and replaces the “decline” response with “approve.”
Supply: doubleagent.internet
The manipulated message additionally comprises a random sum of money between 12,000 and 30,000 Turkish Lira ($350 – $875) to authorize the requested transaction.
As soon as the manipulated message is shipped again to the financial institution’s central techniques containing the approval codes (DE38, DE39) and the quantity (DE54), the financial institution approves the transaction, and a cash mule performing on behalf of the hackers withdraws the money from an ATM.
As of its discovery, the Linux variant of FASTCash had no detections on VirusTotal, that means it might evade most traditional safety instruments, permitting the risk actors to carry out transactions undeterred.
HaxRob additionally reviews {that a} new Home windows model was submitted on VT in September 2024, indicating that the hackers are actively engaged on evolving all of the items of their toolset.