How safe are our ATMs here?Anew variant of the FASTCash malware, previously known to target Windows and AIX systems, has now been identified targeting Linux-based payment switches.

FASTCash, first documented by U.S. CISA in 2018, has been linked to a series of ATM cashout schemes targeting banks in Africa and Asia since at least 2016, and has been developed by the notorious North Korean state-backed hacking group known as Lazarus (aka Hidden Cobra).

The malware operates by compromising payment switch servers, which are crucial components of a bank’s infrastructure responsible for processing card transactions. These systems handle the flow of transaction data between acquirers (the banks that enable merchants to accept payments), issuers (the banks that provide cards), and card networks like Visa and Mastercard. By targeting these payment switch servers, the malware disrupts the entire transaction process, making financial institutions vulnerable to fraud.

FASTCash for Linux uses Ubuntu Linux 22.04 (Focal Fossa), C++ programming language, AES-128 CBC encryption, and a hardcoded key to protect the configuration file.

A researcher, using the handle HaxRob, discovered two new samples of FASTCash for Linux switches in June 2023, one compiled for Ubuntu Linux 20.04 and likely developed after April 21, 2022, and the other likely not used. As of Sunday, only four anti-malware engines detected each sample.

HaxRob explains that the malware is present in the userspace of an interbank switch. When a compromised card is used for fraudulent translation, FASTCash manipulates messages received from issuers, causing transaction messages for denies to be converted to approvals.

The Linux variant of FASTCash is disguised as a shared object file named “libMyFc.so.” It specifically targets ISO 8583 messages – the standard format for communication within payment networks, intercepting declined transaction messages, typically triggered by insufficient funds, for a predetermined list of cardholder accounts. 

It then manipulates these messages, authorizing them for a random withdrawal amount in Turkish Lira, ranging from 12,000 to 30,000 Lira ($350 to $875). This modus operandi mirrors a Windows variant of FASTCash identified by the Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.

For targeted transactions, the malware modifies the authorization response message by:

• Removing specific data elements to avoid detection.
• Overwriting the processing code to indicate approval.
• Adding a random amount of Turkish Lira to the transaction amount.

Attack flow chart

This expansion highlights the increasing sophistication and persistence of North Korean cyberattacks aimed at financial institutions and the need for enhanced security measures in payment switch systems.

Organizations should implement robust detection capabilities, regularly update software, configure security controls, patch and update systems, implement strong network security, conduct regular audits, and educate staff on phishing and social engineering risks to stay protected.