Cybercriminals have upped their game, targeting ATMs with a new Linux-based malware named FASTCash. This sophisticated software is designed to exploit vulnerabilities in both hardware and software, allowing hackers to siphon money directly from machines. As the threat landscape evolves, financial institutions must stay vigilant to protect their assets.
What is FASTCash Malware?
FASTCash is a type of “payment switch malware” specifically crafted to infiltrate Linux OS-based ATMs. Discovered by HaxRob from DoubleAgent, this malware manipulates financial transactions to dispense cash fraudulently. Unlike previous variants that targeted IBM AIX and Windows systems, FASTCash now poses a significant threat to Linux-powered ATM networks.
The malware operates by intercepting ISO8583 transaction messages. It focuses on declined magnetic swipe transactions and authorizes them with random amounts in Turkish Lira. By altering transaction data elements, FASTCash effectively bypasses security checks, making unauthorized withdrawals possible.
Technical Insights into FASTCash
FASTCash is built using C++ and compiled with GCC 11.3.0 on Ubuntu 22.04. It leverages the ptrace system call for process injection and uses the subhook library to intercept the recv function. Here’s a closer look at its functionality:
| Feature | Description |
|---|---|
| Target OS | Linux (Ubuntu 20.04), previously IBM AIX and Windows |
| Transaction Manipulation | Alters ISO8583 messages to approve transactions with random amounts (TRY) |
| Data Elements Modified | Removes PIN-related fields (DE52, DE53), targets specific MTIs (100/110, 200/210) |
| Encryption | Uses AES128 CBC to decrypt configuration files containing target PANs |
| Network Interception | Parses ISO8583 messages using Oscar-ISO8583 library |
This detailed approach allows FASTCash to effectively manipulate financial transactions, making it a formidable threat to ATM security.
Who’s Behind FASTCash?
Researchers believe FASTCash is linked to several notorious hacking groups, including Lazarus, APT38, Bluenoroff, and Stardust Chollima. These groups are often associated with North Korean threat actors, suggesting a high level of sophistication and resources behind FASTCash’s development. The convergence of these groups’ expertise has likely contributed to the malware’s advanced capabilities.
The malware’s ability to target multiple operating systems and its specific focus on financial transaction manipulation indicate a strategic effort to disrupt banking infrastructure on a global scale. Financial institutions worldwide must be prepared to counteract such threats by enhancing their security measures and monitoring for suspicious activities.
