October 14, 2024 at 06:21PM
North Korean hackers are deploying a new Linux variant of FASTCash malware, targeting payment switch systems at financial institutions for unauthorized cash withdrawals. This variant, first noted in June 2023, manipulates transaction messages to bypass declines, facilitating thefts akin to previous FASTCash operations since 2016.
**Meeting Takeaways:**
1. **New Threat Identified**: North Korean hackers are utilizing a newly discovered Linux variant of the FASTCash malware, specifically targeting financial institutions’ payment switch systems for unauthorized cash withdrawals.
2. **Historical Context of FASTCash**:
– FASTCash has a history of targeting Windows and IBM AIX systems since 2016, orchestrated by the North Korean group ‘Hidden Cobra.’
– CISA issued its initial warning in December 2018, highlighting the scheme’s potential for massive financial theft, estimated in the tens of millions per incident.
3. **Recent Developments**:
– The Linux variant was first detected in June 2023 and operates similarly to earlier versions, functioning as a shared library injected into payment switch servers.
– This variant has been undetected by standard security measures, allowing it to evade detection on VirusTotal.
4. **Operational Mechanism**:
– The malware manipulates ISO8583 transaction messages, specifically altering decline responses due to insufficient funds to approve messages, allowing fraudulent transactions to go through.
– Money mules then withdraw cash from ATMs based on these manipulated approvals.
5. **Continued Activity and Evolution**:
– The threat actors appear to be actively evolving their malware, with a new Windows version of FASTCash noted in September 2024, indicating ongoing enhancements to their toolkit.
6. **Security Implications**:
– Financial institutions should be vigilant regarding vulnerabilities in their payment switch systems, particularly those using Ubuntu 22.04 LTS, as well as monitoring for potential signs of manipulation in transaction messages.
7. **Action Items**:
– Consider reinforcing detection systems for ISO8583 message integrity.
– Assess existing security measures against potential exploits from this new Linux variant.
– Stay informed on updates from cybersecurity agencies regarding evolving threats from state-backed groups like APT38 (Lazarus).