New FASTCash malware Linux variant helps steal money from ATMs
North Korean hackers are using a new Linux variant of the FASTCash malware to infect the payment switch systems of financial institutions and perform unauthorized cash withdrawals.
Previous variants of FASTCash targeted Windows and IBM AIX (Unix) systems, but a new report by security researcher HaxRob reveals a previously undetected Linux version that targets Ubuntu 22.04 LTS distributions.
Money-stealing history
CISA first warned about the FASTCash ATM cash-out scheme in December 2018, attributing the activity to the state-backed North Korean hacking group known as ‘Hidden Cobra.’
According to the agency’s investigations, the threat actors have been using FASTCash in operations since at least 2016, stealing tens of millions of dollars per incident in simultaneous ATM withdrawal attacks in 30 countries or more.
In 2020, the U.S. Cyber Command highlighted the threat once again, linking the revived FASTCash 2.0 activity to APT38 (Lazarus).
A year later, indictments were announced for three North Koreans allegedly involved in these schemes, responsible for the theft of over $1.3 billion from financial institutes worldwide.
Cashing out from Linux
The newest variant spotted by HaxRob was first submitted to VirusTotal in June 2023 and features extensive operational similarities to previous Windows and AIX variants.
It comes in the form of a shared library that is injected into a running process on a payment switch server with the help of the ‘ptrace’ system call, hooking it into network functions.
These switches are intermediaries handling the communication between ATMs/PoS terminals and the bank’s central systems, routing transaction requests and responses.
The malware intercepts and manipulates ISO8583 transaction messages used in the financial industry for debit and credit card processing.
Specifically, the malware targets messages that concern declines of the transactions due to insufficient funds in the cardholder’s account and replaces the “decline” response with “approve.”
The manipulated message also contains a random amount of money between 12,000 and 30,000 Turkish Lira ($350 – $875) to authorize the requested transaction.
Once the manipulated message is sent back to the bank’s central systems containing the approval codes (DE38, DE39) and the amount (DE54), the bank approves the transaction, and a money mule acting on behalf of the hackers withdraws the cash from an ATM.
As of its discovery, the Linux variant of FASTCash had no detections on VirusTotal, meaning it could evade most standard security tools, allowing the threat actors to perform transactions undeterred.
HaxRob also reports that a new Windows version was submitted on VT in September 2024, indicating that the hackers are actively working on evolving all the pieces of their toolset.