Follow on X RSS Feed

ATMs Beware FASTCash Linux Variant Turns Declines into Cashouts

Cybersec Sentinel

3 min read
ATMs Beware FASTCash Linux Variant Turns Declines into Cashouts

Threat Group: - Lazarus Group (or affiliates such as APT38, Bluenoroff, Stardust Chollima)
Threat Type: - Financial Malware
Exploited Vulnerabilities: - Payment switch systems and Ubuntu-based ATMs
Malware Used: - FASTCash Linux Variant
Threat Score: - High (8.9/10) — Based on its advanced manipulation of financial systems and the cross-platform capability of the malware.
Last Threat Observation: - October 17, 2024,

Overview

A new Linux variant of the FASTCash malware has been identified, designed to compromise payment switch systems and facilitate unauthorized cash withdrawals from ATMs. Initially reported by U.S. government agencies in 2018, the malware, attributed to North Korean-linked hackers such as the Lazarus Group, has evolved to now target Linux-based systems, particularly Ubuntu 20.04. FASTCash has previously focused on Windows and IBM AIX systems, and this latest development expands its scope of attack to Ubuntu, with a primary focus on financial systems responsible for transaction authorization.

The malware’s core function is to manipulate ISO 8583 transaction messages, turning declined requests due to insufficient funds into approved transactions. These approved transactions result in fraudulent withdrawals, typically ranging from 12,000 to 30,000 Turkish Lira ($350 - $875), allowing attackers to withdraw significant sums from ATMs globally.

The evolution of this malware highlights a concerning trend toward cross-platform attacks, making it critical for financial institutions to bolster their detection capabilities, particularly within Linux environments, which are often less protected.

Key Details

  • Delivery Method: Injected into payment switch servers as a shared object (e.g., "libMyFc.so"), allowing it to intercept and manipulate network transactions.
  • Target: Payment switches, Ubuntu 20.04 systems, and financial networks globally.
  • Functions:
    1. Modifies ISO 8583 transaction messages for debit and credit card processing.
    2. Changes “declined” responses due to insufficient funds into “approved” transactions.
    3. Fraudulent cash withdrawals are authorized in Turkish Lira, bypassing standard security measures.
    4. Uses injection techniques similar to Windows and AIX variants for evasion.
    5. Evades detection through limited visibility in Linux security tools.
  • Obfuscation: Employs advanced techniques such as sandbox evasion and mimicking legitimate transaction behaviors to avoid detection by traditional security systems.

Attack Vectors

The FASTCash Linux variant operates by compromising payment switches within financial institutions, primarily those running on Ubuntu 20.04. These payment switches manage communication between ATMs and central banking systems, routing transaction requests and responses. Once the malware infiltrates a system, it intercepts declined transactions (due to insufficient funds) and replaces them with an approval message. This manipulation allows the attackers to initiate unauthorized cash withdrawals from ATMs, using accomplices or "money mules" to collect the cash.

The malware’s ability to bypass transaction authorizations, combined with its cross-platform capabilities, makes it an evolving and dangerous threat.

Known Indicators of Compromise (IoCs)

FileHash-MD5

  • 03e6496b8a0187d0265b64612ec85291
  • 14d72896e174c0601d5d9ee4a5976ea5
  • 46b318bbb72ee68c9d9183d78e79fb5a
  • 4ce9d999e0656fafab9d53e4a6b306a3
  • 518acee0cc61041709e9ebb38169bea0
  • 7bae539b25bed652540a4792d32c7909
  • a97920557623296123d961f72e164513
  • ac057094659b056c68360eb6665e4ace
  • c4141ee8e9594511f528862519480d36
  • d1bb81f507a697548e1acbce814904de
  • d790997dd950bb39229dc5bd3c2047ff
  • fce3eda41abb6ab5b043164e44e95302

FileHash-SHA1

  • 206f602a3d571b4706a62a1b316ebd5b78d1706b
  • 2b22d9c673d031dfd07986906184e1d31908cea1
  • 301bafbbf49f8b5ad56c11cbd1d548fde9027445
  • 3ce053389d2bd4f8e04f4bbbbed224d8a544b245
  • 43c7b96e6c047015f66f2e3e591b94428eaf361a
  • 5375ad3746ce42a6f262f55c4f1f0d273fb69c54
  • 7e6407c28c55475aa81853fac984267058627877
  • 83415069e4b62f0795144911f31f55ead3af670a
  • 8e95a90f7dcc5f27006e64864b37abcc29562b67
  • 9f487df6c84dd794bafa3fa4173888e07af3fb60
  • bccf365476b9037ca851625934b7c7363c6979f6
  • cdeefb46b4d8a58af99a429c8d6b5db575533cc5

FileHash-SHA256

  • 078f284536420db1022475dc650327a6fd46ec0ac068fe07f2e2f925a924db49
  • 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba
  • 129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0
  • 2611f784e3e7f4cf16240a112c74b5bcd1a04067eff722390f5560ae95d86361
  • 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c
  • 5232d942da0a86ff4a7ff29a9affbb5bd531a5393aa5b81b61fe3044c72c1c00
  • 609a5b9c98ec40f93567fbc298d4c3b2f9114808dfbe42eb4939f0c5d1d63d44
  • 7f3d046b2c5d8c008164408a24cac7e820467ff0dd9764e1d6ac4e70623a1071
  • afff4d4deb46a01716a4a3eb7f80da58e027075178b9aa438e12ea24eedea4b0
  • c3904f5e36d7f45d99276c53fed5e4dde849981c2619eaa4dbbac66a38181cbe
  • f34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c
  • f43d4e7e2ab1054d46e2a93ce37d03aff3a85e0dff2dd7677f4f7fb9abe1abc8

Mitigation and Prevention

  • User Awareness: Financial institutions should train employees on recognizing phishing attacks and signs of system compromise.
  • Endpoint Protection: Ensure Linux-based systems, especially those running on Ubuntu, are secured with appropriate endpoint detection and response (EDR) tools.
  • Email Filtering: Implement robust email filtering to prevent phishing campaigns aimed at infiltrating financial systems.
  • Antivirus Protection: Deploy advanced anti-malware solutions specifically designed to monitor Linux environments.
  • Two-Factor Authentication (2FA): Enforce 2FA for all critical systems that manage payment transactions.
  • Regular Software Updates: Ensure that operating systems and software are frequently updated and patched to protect against vulnerabilities.
  • Monitor Logs: Scrutinize transaction logs for unusual activity, especially declined transactions being approved.

Podcast Discussion

Tune in to our latest podcast episode, where we analyze the cross-platform capabilities of the FASTCash malware, the evolving tactics of North Korean hackers, and what steps financial institutions can take to protect themselves from this significant threat.

audio-thumbnail
ATMs Beware FASTCash Linux Variant Turns Declines into Cashouts
0:00
/468.32

Conclusion

The emergence of a Linux variant of FASTCash is a concerning development in the ongoing financially motivated campaigns by North Korean-linked hacking groups. By exploiting payment switches and manipulating transaction messages, this malware enables large-scale ATM fraud on a global level. The fact that it can bypass traditional detection mechanisms, especially within Linux environments, underscores the need for financial institutions to bolster their cybersecurity defenses.

Sources

AlienVault: New Linux Malware Targeting ATMs for Financial Fraud
BleepingComputer: New FASTCash malware Linux variant helps steal money from ATMs
The Hacker News: New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists