Recent Linux Version of FASTCash Malware Targets Payment Switches in ATM Heists
Operatives from North Korea have been utilizing a Linux variation of the well-known FASTCash malware to pilfer funds as part of an economically-driven endeavor.
The malevolent software is “established on payment switches within compromised networks that oversee card transactions to aid in the unsanctioned removal of money from ATMs,” as conveyed by a security analyst known as HaxRob stated.
Initially recognized by the U.S. government in October 2018, FASTCash was cited to be employed by antagonists affiliated with North Korea as part of an ATM cashout plan directed at banks in Africa and Asia since at least the end of 2016.
“FASTCash schemes remotely infiltrate payment switch application servers within banks to facilitate deceitful transactions,” the authorities attested at that point in time.
“In a particular occurrence in 2017, HIDDEN COBRA actors granted authorization for money to be concurrently extracted from ATMs located in over 30 different countries. In another occurrence in 2018, HIDDEN COBRA actors enabled money to be simultaneously removed from ATMs in 23 different countries.”
While previous FASTCash remnants have been found in systems running Microsoft Windows (inclusive of one spotted as recently as last month) and IBM AIX, the most recent discoveries reveal that specimens engineered for infiltrating Linux systems were initially submitted to the VirusTotal platform in mid-June 2023.
The malware adopts the form of a shared object (“libMyFc.so”) that’s tailored for Ubuntu Linux 20.04. Its purpose is to intercept and modify ISO 8583 transaction messages utilized for debit and credit card processing to commence unauthorized fund withdrawals.
Concretely, it involves manipulating declined (magnetic swipe) transaction messages due to insufficient funds for a predetermined list of cardholder account numbers and authorizing them to withdraw a random sum of funds in Turkish Lira.
The funds taken per deceptive transaction range from 12,000 to 30,000 Lira ($350 to $875), echoing a Windows FASTCash artifact (“switch.dll”) previously detailed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.
“[The] identification of the Linux version further accentuates the necessity for ample detection capabilities which are frequently absent in Linux server environments,” as articulated by the researcher.
About Author
