Introduction

The North Korean state-sponsored hacking group [3], Hidden Cobra [1] [3] [5] [7], also known as APT38 or Lazarus [3], has developed a new Linux variant of its FASTCash malware [3] [7] [8]. This variant specifically targets payment switch systems within compromised banking networks running Ubuntu 22.04 LTS distributions. The emergence of this variant highlights the ongoing evolution of cyber threats against financial institutions, necessitating enhanced detection and prevention strategies [6].

Description

North Korean state-sponsored hacking group Hidden Cobra [3], also known as APT38 or Lazarus [3], has developed a Linux variant of its FASTCash malware [2] [3] [7] [8] [9] [10], specifically targeting payment switch systems within compromised banking networks running Ubuntu 22.04 LTS distributions. This new variant [3] [4] [6], identified as “libMyFc.so,” was first detected in mid-June 2023 and showcases an evolution of the malware that previously focused on Windows and IBM AIX systems. Investigations revealed that the group has executed coordinated ATM withdrawal attacks since at least 2016 [7], resulting in losses exceeding $1.3 billion from small and midsize banks across more than 30 countries in Asia and Africa.

The Linux variant facilitates unauthorized ATM withdrawals on an international scale by operating as an injected library within payment switch servers. It intercepts and modifies ISO 8583 transaction messages [2] [7] [10], which are essential for debit and credit card transactions. By altering responses for declined transactions due to insufficient funds into approved notifications for a predefined list of cardholder account numbers, it enables fraudulent withdrawals ranging from 12,000 to 30,000 Turkish Lira (approximately $350 to $875). This malware exploits misconfigurations in the ISO 8583 messaging standard that hinder effective message authentication [9], allowing it to tamper with messages undetected.

The emergence of the Linux variant underscores the need for improved detection capabilities in Linux server environments [4] [9] [10], as only a few anti-malware engines currently recognize these samples [9], with initial reports indicating minimal detection—only four engines identified them at the time. This behavior mirrors a previously documented Windows FASTCash artifact, “switch.dll,” noted by the US Cybersecurity and Infrastructure Security Agency (CISA) in September 2020 [10]. CISA has linked FASTCash to the North Korean hacking group BeagleBoyz [9], a subset of the government-backed Hidden Cobra [9], which has attempted to steal nearly $2 billion since 2015 [9].

Researchers indicate that the process injection technique used to intercept transaction messages can be detected by commercial or open-source Linux agents configured to monitor the ptrace system call [2]. To mitigate exploitation risks [2], CISA recommends implementing chip and PIN requirements for debit cards [2] [4], verifying message authentication codes on financial request responses [2] [4], and validating authorization response cryptograms for chip and PIN transactions [2] [4]. The malware’s ability to modify transaction messages at critical points in the payment processing network poses significant risks to financial institutions [9], highlighting an escalation in cyber threats against the financial sector and necessitating enhanced detection and prevention strategies to combat this sophisticated malware [6]. Additionally, a new Windows version of FASTCash was reported in September 2024 [7], indicating ongoing evolution in the malware toolkit used by these threat actors [7].

Conclusion

The development of the Linux variant of FASTCash by Hidden Cobra signifies a significant escalation in cyber threats targeting financial institutions. The malware’s ability to exploit vulnerabilities in payment systems poses substantial risks, emphasizing the need for improved detection and prevention measures. Financial institutions must adopt robust security protocols, including chip and PIN requirements and enhanced message authentication, to mitigate these threats. The ongoing evolution of FASTCash, including the emergence of a new Windows version, underscores the persistent and adaptive nature of cyber threats, necessitating continuous vigilance and adaptation in cybersecurity strategies.

References

[1] https://sempreupdate.com.br/linux/malwares/nova-variante-linux-malware-fastcash-roubo-dinheiro-atm/
[2] https://www.darkreading.com/cyber-risk/north-korea-hackers-cash-linux-cyber-heists
[3] https://www.blackhatethicalhacking.com/news/lazarus-group-deploys-linux-fastcash-malware-to-steal-millions-in-coordinated-atm-attacks/
[4] https://securityaffairs.com/169860/malware/new-linux-variant-fastcash-malware-targets-financial-systems.html
[5] https://www.it-connect.fr/le-malware-fastcash-pour-linux-utilise-voler-argent-a-partir-des-dab/
[6] https://linuxsecurity.com/news/hackscracks/fastcash-linux-malware
[7] https://cybermaterial.com/new-linux-fastcash-malware-targets-atms/
[8] https://www.linkedin.com/posts/mchubirka_north-korean-hackers-use-newly-discovered-activity-7252079507526819840-ZdRd
[9] https://arstechnica.com/security/2024/10/north-korean-hackers-use-newly-discovered-linux-malware-to-raid-atms/
[10] https://thehackernews.com/2024/10/new-linux-variant-of-fastcash-malware.html