Initially, FASTCash was exclusive to Unix systems. Then, it adapted to work with Windows. Now, it has also begun targeting Linux platforms.
At the outset, North Korean hackers infiltrated banking systems operating on AIX, IBM’s proprietary Unix version. Following this, they breached networks utilizing Windows. Their latest move sees these state-sponsored cybercriminals extending their attacks to include Linux environments.
The malware known as FASTCash functions as a remote access tool, installed on payment switches within compromised networks that manage payment card transactions. The US Cybersecurity and Infrastructure Security Agency (CISA) first issued a warning regarding FASTCash in 2018 through an advisory, indicating that the malware was affecting AIX-driven switches in retail payment networks. In 2020, CISA updated its alerts to report that FASTCash had expanded to Windows systems as well. In addition to adapting to Windows, FASTCash began targeting not only retail payment switches but also those managed by regional interbank payment processors.
Recently, a researcher discovered two variants of FASTCash designed for Linux-based switches. One of these is compiled for Ubuntu Linux 20.04 and appears to have been developed after April 21, 2022. The other variant seems to have remained unused. At the time of this writing, only four anti-malware engines identified each sample. As of Sunday, there were no detections reported. The Linux variant was submitted to VirusTotal in June 2023.
“The discovery of the Linux variant highlights the urgent need for improved detection capabilities, which are frequently insufficient in Linux server environments,” noted a researcher known as haxrob wrote.
FASTCash is designed to infiltrate a critical switch within the intricate networks that facilitate payment transactions between merchants and their banks, as well as the payment card issuers necessary for transaction approvals. The specific switches targeted are situated within the interbank network that connects these parties.
The following explanation details the transaction process among the card issuers, identified as the issuing domain, and the merchant along with the merchant bank categorized as the acquiring domain.
This malware operates within the userspace segment of the interbank switch that links the issuing and acquiring domains. When a compromised card is utilized for a fraudulent transaction, FASTCash manipulates the messages sent to the switch from issuers before forwarding them to the merchant bank. Consequently, messages from issuers that would typically deny the transaction are altered to reflect approvals instead.
The diagram below presents an overview of the functioning of FASTCash:
The selected switches for targeting feature improperly configured versions of ISO 8583, a standard for messaging in financial transactions. These improper configurations hinder the message authentication processes, such as those outlined for field 64 in the specification, rendering them ineffective. Consequently, the altered messages produced by FASTCash go unnoticed as fraudulent.
“FASTCash malware focuses on systems that handle ISO8583 messages through a certain intermediate host, where crucial security mechanisms designed to protect message integrity are absent,” stated haxrob. “If these messages were safeguarded for integrity, a field like DE64 would typically contain a MAC (message authentication code). Since the standard lacks a definition for the algorithm, the MAC algorithm will depend on the specific implementation.”
The researcher further elaborated:
FASTCash malware alters transaction messages at a point within the network where interference won’t lead to rejection by upstream or downstream systems. A plausible interception point would be during the conversion of ATM/PoS messages from one format to another, such as at the interface between a proprietary protocol and an ISO8583 message, or when modifications to the message are made by a process operating within the switch.
CISA noted that BeagleBoyz—one of the aliases used to identify North Korean hackers—is part of HiddenCobra, a broader faction supported by the North Korean government. Since 2015, BeagleBoyz has sought to pilfer nearly $2 billion. According to CISA, this malicious group has also “manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions.”
The haxrob report offers cryptographic hashes for identifying two samples of the newly identified Linux version, along with hashes for various newly discovered instances of FASTCash for Windows.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
