Hackers are increasingly targeting ATMs through various illicit methods. They exploit physical and software vulnerabilities to force machines to dispense cash.
The rise of accessible hacking tools on the dark web has made these attacks easier for even newbie threat actors.
HaxRob (@haxrob) from DoubleAgent recently uncovered a new Linux malware variant dubbed “FASTCash,” a “payment switch malware” that specifically targets Linux OS-based ATMs to steal money.
Researchers believe that this group is linked to several other hacking groups, such as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)
Technical Analysis
“FASTCash” is malware designed to compromise payment switches in financial networks, and it is attributed to “North Korean” threat actors.
It’s been noted that this malware now targets Linux systems in addition to previously known versions for “IBM AIX” and “Windows.”
The Linux sample, compiled for Ubuntu 20.04, intercepts ISO8583 transaction messages, specifically targeting declined magnetic swipe transactions (identified by the Point of Service Entry Mode in DE22) for predetermined account numbers.
It then authorizes these transactions with random amounts in Turkish Lira (currency code TRY in DE49).
The malware manipulates transaction data elements including “removing PIN-related fields” (“DE52” and “DE53”), and “focuses on specific message Type Indicators” (“MTIs”) like “100/110” for balance inquiries and “200/210” for financial transactions.
It expects messages to include “a 2-byte length prefix” and “a 5-byte Transaction Protocol Data Unit (TPDU) header,” suggesting it targets “specific payment infrastructure.”
While slightly less “feature-rich” than its Windows counterpart, this Linux variant illustrates the evolving tactics of the threat actors in exploiting vulnerabilities in various OS within financial ecosystems, particularly at points where message integrity checks may be bypassed.
CISA’s report on FASTCASH malware for Linux reveals a sophisticated attack on ATM networks. This malware manipulates “ISO8583 financial transaction messages,” specifically targeting “authorization responses.”
It injects “fraudulent Turkish Lira amounts” (12,000 to 30,000 TRY) into these messages, using “ISO4217 currency code 949” in the DE54 field (Additional amounts) and a custom value ‘0387T’ in “DE48” (Additional data, private).
The malware checks for magnetic stripe transactions (DE22) and specific processing codes (DE3) for “balance inquiries” and “withdrawals.”
It shares similarities with a Windows variant but lacks some features like “IP checks.”
This malware is written in “C++” and compiled with “GCC 11.3.0 on Ubuntu 22.04.” It uses “ptrace” for “process injection” and “subhook” to intercept the “recv function.”
The malware decrypts a configuration file (‘/tmp/info.dat’) that contains “target PANs” using “AES128 CBC encryption.”
It intercepts “network packets” by parsing the “ISO8583 messages” using the “Oscar-ISO8583 library,” and then it modifies them to “approve transactions” and “raise balances.”
Indicators of Compromise
SHA-256 hashes
FASTCash for Linux
f34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c(UPX)
7f3d046b2c5d8c008164408a24cac7e820467ff0dd9764e1d6ac4e70623a1071
FastCash for Windows
afff4d4deb46a01716a4a3eb7f80da58e027075178b9aa438e12ea24eedea4b0f43d4e7e2ab1054d46e2a93ce37d03aff3a85e0dff2dd7677f4f7fb9abe1abc85232d942da0a86ff4a7ff29a9affbb5bd531a5393aa5b81b61fe3044c72c1c002611f784e3e7f4cf16240a112c74b5bcd1a04067eff722390f5560ae95d86361c3904f5e36d7f45d99276c53fed5e4dde849981c2619eaa4dbbac66a38181cbe609a5b9c98ec40f93567fbc298d4c3b2f9114808dfbe42eb4939f0c5d1d63d44078f284536420db1022475dc650327a6fd46ec0ac068fe07f2e2f925a924db49(RAR)
Previously identified / attributed (2018 to 2020)
129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0(Windows)10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba(AIX)3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c(AIX)
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here