North Korean threat actors have been observed using a Linux variant of a well-known malware family called FASTCash for stealing funds as part of a financially motivated campaign.
The malware “is installed on payment switches in compromised networks that process card transactions to facilitate unauthorized cash withdrawals from ATMs,” according to security researcher HaxRob. said.
FASTCash was documented for the first time by the US government in October 2018, used by adversaries linked to North Korea in connection with an ATM-withdrawal scheme targeting banks in Africa and Asia since at least late 2016.
“FASTCash schemes remotely compromise payment switch application servers at banks to facilitate fraudulent transactions,” the agencies said at the time.
“In one incident in 2017, HIDDEN COBRA actors allowed simultaneous cash withdrawals from ATMs located in more than 30 different countries. In another incident in 2018, HIDDEN COBRA actors allowed cash to be withdrawn simultaneously from ATMs in 23 different countries.”
While previous FASTCash artifacts have systems running Microsoft Windows (incl one spotted as recently as last month) and IBM AIX, the latest findings show that samples designed to infiltrate Linux systems were introduced for the first time to the VirusTotal platform in mid-June 2023.
The malware takes the form of a shared object (“libMyFc.so”) compiled for Ubuntu Linux 20.04. It is designed to be intercepted and modified ISO 8583 transaction messages used to process debit and credit cards to initiate unauthorized withdrawals.
Specifically, this involves manipulating declined (swipe) transaction reports due to insufficient funds to a predetermined list of cardholder account numbers and approving them to withdraw a random amount of funds in Turkish lira.
Funds withdrawn per fraudulent transaction range from 12,000 to 30,000 lira ($350 to $875), reflecting the Windows FASTCash artifact (“switch.dll”) previously detailed The US Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.
“(The discovery of) the Linux variant further highlights the need for adequate detection capabilities, which are often lacking in Linux server environments,” the researcher said.
