FastCASH

FastCash is a notorious malware, first documented by the US government in October 2018. It was initially used by North Korean adversaries in an ATM scheme targeting banks in Africa and Asia. The malware is installed on payment switches within compromised networks handling card transactions, facilitating unauthorized withdrawal of cash from ATMs. In November 2018, cybersecurity firm Symantec discovered the FastCash Trojan being used by the North Korea-linked Advanced Persistent Threat (APT) group Lazarus in a series of attacks against ATMs. Previous iterations of the FastCash malware specifically targeted IBM AIX (FASTCash for UNIX) and Microsoft Windows (FASTCash for Windows). Recently, North Korea-linked actors have deployed a new Linux variant of FastCash to target financial systems, as revealed by cybersecurity researcher HaxRob. This Linux variant, unlike its predecessors, is implemented as a shared library which is injected into payment switch servers via the 'ptrace' system call, thereby intercepting ISO8583 transaction messages. This approach allows the attackers to manipulate the communication between ATMs and banking servers, enabling unauthorized withdrawals. The deployment of the Linux variant of FastCash signifies a shift in the tactics of the North Korean threat actors, indicating their adaptability and continuous evolution of their cyber capabilities. Notably, in October 2018, the US-CERT released a joint technical alert warning about the ATM cash-out scheme, dubbed "FastCash," being used by the prolific North Korean APT hacking group known as Hidden Cobra, also referred to as Lazarus Group and Guardians of Peace. The ongoing use and development of FastCash underscores the persistent cyber threats posed by these actors to global financial systems.