Recent Adaptation of FASTCash Malware for Linux Targets Payment Switches in ATM Heists
Operatives with ties to North Korea have been using a Linux version of the well-known malware strain FASTCash to illicitly obtain funds in a campaign driven by financial motives.
According to HaxRob, a cybersecurity expert, the malware is introduced into payment switches on compromised networks responsible for processing card transactions to facilitate the unauthorized extraction of cash from ATMs.
FASTCash was initially identified by the U.S. government in October 2018 as being utilized by actors associated with North Korea in a scheme to extract cash from ATMs targeting banks in Africa and Asia since at least the end of 2016, as per reports.
“FASTCash operations involve remotely compromising application servers for payment switches in banks to enable fraudulent transactions,” the agencies indicated back then.
“In a specific case in 2017, HIDDEN COBRA operators triggered the withdrawal of cash from ATMs located in more than 30 different nations simultaneously. In another episode in 2018, HIDDEN COBRA actors orchestrated cash withdrawals from ATMs in 23 countries concurrently.”
Prior variants of FASTCash targeted systems running Microsoft Windows (with one sighting as recent as the previous month) and IBM AIX, but recent discoveries reveal samples optimized for infiltrating Linux setups were initially submitted to the VirusTotal platform in mid-June 2023.
The malware materializes as a shared object (“libMyFc.so”) specifically tailored for Ubuntu Linux 20.04. Its purpose is to intercept and manipulate ISO 8583 transaction messages used in debit and credit card processing to initiate illicit fund withdrawals.
Its operation involves altering declined (magnetic swipe) transaction messages due to insufficient funds for a predefined set of cardholder account numbers, authorizing them to draw a random amount of money in Turkish Lira.
The amount stolen per illicit transaction ranges from 12,000 to 30,000 Lira ($350 to $875), mirroring a Windows FASTCash artifact (“switch.dll”) previously highlighted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.
The researcher highlighted, “[The] identification of the Linux variant further underscores the necessity for proficient detection capabilities, often found lacking in Linux server environments.”
About Author
