A Careful Look on FastCash, the New Cash Cow of Lazarus Hacking Group

The North Korean elite hacker team Lazarus has been wreaking havoc to many Automated Teller Machines located in Africa and Asia for the last two years. Dubbed the FastCash attacks, unauthorized ATM withdrawals were successfully pulled-off, at the expense of the real bank depositors’ account balance.

This ATM fraud is just right on the heels of previous two successful attacks, first against Sony Pictures of America four years ago, the followed by the Lazarus team’s alleged involvement with the Bangladesh Central Bank’s $81 million heist using Philippine casinos. Symantec, a mainstream antivirus vendor in their detailed Threat Intelligence report has highlighted the dangers imposed by FastCash attacks against banks. It is a modified “man-in-the-middle” play, where the trojan uses malformed withdrawal request, which ATMs still accept as valid, hence unauthorized transactions get completed.

“According to the U.S. government alert, one incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries. In another major incident in 2018, cash was taken from ATMs in 23 separate countries. To date, the Lazarus FASTCash operation is estimated to have stolen tens of millions of dollars. Once installed on the server, Trojan. Fastcash will read all incoming network traffic, scanning for incoming ISO 8583 request messages. It will read the Primary Account Number (PAN) on all messages and, if it finds any containing a PAN number used by the attackers, the malware will attempt to modify these messages. How the messages are modified depends on each victim organization. It will then transmit a fake response message approving fraudulent withdrawal requests. The result is that attempts to withdraw money via an ATM by the Lazarus attackers will be approved,” explained by Symantec’s report.

The capability of FastCash to create a withdrawal request interception, change some value from it and resending it back to the ATM which the machine will accept is a serious feat of engineering. Lazarus team also created a family of FastCash trojan that effectively makes each one of them distinct from one another. “We believe that each variant is tailored for a particular transaction processing network and thus has its own tailored response logic. The PAN numbers used to carry out the FASTCash attacks relate to real accounts. According to the US-CERT report, most accounts used to initiate the transactions had minimal account activity or zero balances. How the attackers gain control of these accounts remains unclear. It is possible the attackers are opening the accounts themselves and making withdrawal requests with cards issued to those accounts. Another possibility is the attackers are using stolen cards to perform the attacks. In all reported FASTCash attacks to date, the attackers have compromised banking application servers running unsupported versions of the AIX operating system, beyond the end of their service pack support dates,” concluded Symantec.

Banks, especially those operating in Africa and Asia are strongly warned to take action immediately, especially those ATMs they maintain that is using an old and unsupported version of Windows. It is unfortunate that software with known vulnerability is still being used with ATM, making them easy targets for data manipulation attacks, causing bank customers to lose money. It is strongly recommended that banks use an operating system that is more lean, with features that exclusively caters to banking as well without other apps installed for any other purpose. That means the use of a general purpose operating system such as a fat Windows client OS should be highly discouraged across the board.