North Korean threat actors are using a Linux variant from a malware family known as “FASTCash” to conduct a financially motivated cyber campaign.
FASTCash is a payment switch malware, first documented by the US government in October 2018 when it was being used by North Korean adversaries in an ATM scheme targeting banks in Africa and Asia.
Since that time, there have been two significant developments within the campaign. The first is its capability to conduct the scheme against banks hosting their switch application on Windows Server, and the second is its expansion of the campaign to target interbank payment processors.
Prior versions of the malware targeted systems running Microsoft Windows and IBM AIX, though the latest findings of the malware now indicate that it is designed to infiltrated Linux systems.
The malware modifies ISO 8583 transaction messages used in debit and credit card transactions to initiate unauthorized withdrawals, even managing to manipulate declined transactions due to insufficient funds, then approve them to withdraw money in Turkish currency ranging from 12,000 to 30,000 lira ($350 to $875).
“The process injection technique employed to intercept the transaction messages should be flagged by any commercial [endpoint detection and response] or opensource Linux agent with the appropriate configuration to detect usage of the ptrace system call,” noted the researchers in the report.
The researchers also highlight Cybersecurity and Infrastructure Security Agency (CISA) recommendations of implementing chip and PIN requirements for debit cards, requiring and verifying message authentication codes on issue financial request response messages, and performing authorization response cryptogram validation for chip and PIN transactions to prevent exploitation attempts.