Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

11/9/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Symantec Offers New Details of North Korean-Backed 'FASTCash' Attack

"FASTCash" is a cyber attack targeting ATMs around the world with backing from the North Korean government, and now Symantec has new details about how the scheme works.

In October, the US government issued a warning about a North Korean-backed cyber attack called "FASTCash," which targeted ATMs around the world. Now, Symantec has additional details about how the scheme worked and what tools the attackers used.

In a November 8 blog post, Symantec researchers offer a look at the malware used as part of the attack, which the company calls Trojan.Fastcash. This malicious software has not been seen previously.

The US Computer Emergency Readiness Team (US-CERT) first issued a warning about FASTCash in October, following attacks in Asia and Africa that drained ATMs of millions of dollars. The scheme is believed to be the work of the group Hidden Cobra, which also goes by the name Lazarus, and is suspected of having the backing of the North Korean government. (See US Warns About ATM Thefts Linked to North Korea's Hidden Cobra Group.)

(Source: iStock)
(Source: iStock)

Hidden Cobra or Lazarus is an Advanced Persistent Threat (APT) group that is suspected of conducting the hack of Sony Pictures, a massive theft at the Bangladesh Central Back and releasing the WannaCry ransomware attack in 2017.

So far, FASTCash attacks have not been detected in the US. However, in 2017, the group targeted ATMs in 30 different countries as part of an attack, and this year another 23 countries were hit.

However, it's clear from some of the initial analysis of the attack that the group behind the scheme knows international banking standards and procedures to target ATMs and manipulate transactions within different countries.

Specifically, the attackers can inject a malicious Advanced Interactive eXecutive (AIX) executable into the switch application server of a bank's financial network. AIX is IBM's proprietary Unix operating system that many banks and financial intuitions run to support their back-end infrastructures.

The malicious executable can then create a fraudulent International Standards Organization (ISO) 8583 message, which is a major standard for financial transactions.

This executable is now believed to be the Trojan.Fastcash malware.

Once inside, the malware serves two functions. It can monitor incoming messages and intercept fraudulent transactions before they research the switch application. It also contains the logic that generates one of three responses to these fraudulent requests.

After infiltrating the network, the malware waits for a command from the attacks. As Symantec describes it:

Once installed on the server, Trojan.Fastcash will read all incoming network traffic, scanning for incoming ISO 8583 request messages. It will read the Primary Account Number (PAN) on all messages and, if it finds any containing a PAN number used by the attackers, the malware will attempt to modify these messages. How the messages are modified depends on each victim organization. It will then transmit a fake response message approving fraudulent withdrawal requests. The result is that attempts to withdraw money via an ATM by the Lazarus attackers will be approved.

During its investigation, Symantec found several different Trojan.Fastcash variants that use different logic to generate responses, which helps tailor responses to different transaction messages. The researchers also found that the PAN numbers used to initiate the transactions are attached to legitimate accounts that carry minimal or zero balances.

It's not clear if the attackers are opening the accounts and then making withdrawals or using stolen ATM cards. However, the previous CERT alert found that the group may use phishing techniques to gain access to a bank's network and back-end servers that support the ATMs.

In its blog post, Symantec recommends updating older software to patch any flaws. In many cases, older versions of AIX are no longer supported by IBM and could be vulnerable.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
CVE-2021-32244
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
CVE-2021-32245
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
CVE-2021-34201
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
CVE-2021-34203
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...