A newly identified Linux variant of the notorious FASTCash malware has been discovered, expanding the attack surface of North Korean hackers targeting financial institutions.

Previously known to compromise IBM AIX and Microsoft Windows systems, this malware now poses a threat to Linux-based payment switch servers, enabling unauthorized cash withdrawals from ATMs.

This development underscores the evolving tactics of threat actors like Hidden Cobra (also known as APT38 or Lazarus Group) and highlights the urgent need for robust security measures in the financial sector.

Background

Evolution of FASTCash Malware

The term FASTCash refers to a malware family attributed to North Korean hackers, designed to infiltrate payment switch systems within compromised networks. Since at least 2016, FASTCash has facilitated unauthorized ATM cash-outs by manipulating transaction messages, resulting in the theft of tens of millions of dollars per incident across multiple countries.

2018: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) first warned about FASTCash, linking it to Hidden Cobra.

2019: The first Windows variant surfaced, expanding the malware's reach beyond IBM AIX systems.

2020: CISA updated its advisory to include the Windows variant, noting significant developments in the malware's capabilities.

2021: Indictments were announced for three North Koreans involved in these schemes, responsible for over $1.3 billion in theft.

Technical Analysis of the Linux Variant

Compilation & Deployment

The newly discovered Linux variant was compiled for Ubuntu Linux 20.04 using GCC 11.3.0. Analysis suggests that the malware was developed after April 21, 2022, likely within a VMware virtual machine environment.

The use of Ubuntu indicates a shift, as traditional payment switch systems often run on proprietary UNIX systems or Windows.

Similarities to Previous Variants

The Linux variant shares operational similarities with its Windows and AIX predecessors:

Currency Manipulation: Both the Linux and Windows variants operate in Turkish Lira (TRY), while the AIX variant used Indian Rupee (INR).

ISO8583 Message Manipulation: The malware intercepts and manipulates ISO8583 messages, the standard for financial transaction card-originated messages.

Approval of Declined Transactions: It authorizes previously declined transactions by injecting fraudulent response messages before they reach the acquirer.

Intercepting Transaction Messages

Payment Switch Systems

Payment switches act as intermediaries, routing transaction messages between ATMs/POS terminals and financial institutions. By compromising these systems, the malware can manipulate transaction data undetected.

ISO8583 Protocol Exploitation

The malware hooks into the recv function of network processes to intercept ISO8583 messages, specifically targeting:

Message Type Indicators (MTIs): Focuses on authorization requests (1xx) and financial transactions (2xx).

Data Elements (DEs): Manipulates fields such as DE2 (Primary Account Number), DE3 (Processing Code), DE4 (Transaction Amount), DE49 (Transaction Currency Code), and DE54 (Additional Amounts).

FASTCash Operational Flow (Source:doubleagent.net)

Process Injection Techniques

Using the ptrace system call, the malware injects itself into running processes on the payment switch server. It employs shared libraries (libMyFc.so) to hook network functions, allowing it to monitor and alter transaction messages in real-time.

Fraudulent Transaction Approval

Upon intercepting a declined transaction due to insufficient funds (Processing Code 51), the malware:

1. Generates a Random Amount: Between 12,000 and 30,000 TRY (~$350 to $875).

2. Modifies Response Codes: Sets DE38 (Approval Code) and DE39 (Action Code) to indicate approval.

3. Adjusts Data Elements: Removes specific DEs related to security and authentication to avoid detection.

4. Sends Manipulated Response: Forwards the fraudulent approval to the bank's central systems, enabling unauthorized cash withdrawals.

Indicators of Compromise (IoCs)

The following SHA-256 hashes are associated with the Linux variant:

f34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c

7f3d046b2c5d8c008164408a24cac7e820467ff0dd9764e1d6ac4e70623a1071 (UPX packed)

Impact and Implications

Expanded Attack Surface

The discovery of a Linux variant indicates that North Korean hackers are broadening their targets to include a wider range of operating systems. This expansion poses significant risks to financial institutions that may rely on Linux-based systems for payment processing.

Financial and Reputational Damage

Unauthorized cash withdrawals facilitated by FASTCash can lead to substantial financial losses and damage the reputation of affected institutions. The malware's ability to evade detection exacerbates these risks.

Challenges in Detection

As of its discovery, the Linux variant had zero detections on VirusTotal, highlighting the difficulty traditional security tools face in identifying such threats.

Detection and Prevention

Implementing Robust Security Measures

Financial institutions should adhere to CISA's recommendations:

Message Authentication Codes: Require and verify MACs on issuer financial request and response messages.

Chip and PIN Requirements: Implement chip and PIN authentication for debit and credit cards.

Cryptogram Validation: Perform authorization response cryptogram validation for chip and PIN transactions.