Saturday, April 20, 2024
-Advertisement-
Reimagining Public Sector Analytics
Reimagining Public Sector Analytics
HomeNewsCyber SecuritySymantec uncovers Lazarus Group's use of malware for FASTCash attacks to empty cash from ATMs

Symantec uncovers Lazarus Group’s use of malware for FASTCash attacks to empty cash from ATMs

Follow Tech Observer on Google News
Google News

Last month, an alert was issued by , the Department of Homeland Security, the Department of the Treasury, and the FBI stating that Hidden Cobra (the U.S. government's code name for Lazarus) has been conducting “FASTCash” attacks, stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016.

says Lazarus is a very active attack group involved in both cyber crime and espionage. The group was initially known for its espionage operations and a number of high-profile disruptive attacks, including the 2014 attack on Sony Pictures. More recently, Lazarus has also become involved in financially motivated attacks, including an US$81 million theft from the Bangladesh Central Bank and the WannaCry ransomware.

Following US-CERT's report, Symantec's research has shared some of its findings on the key component used in the group's recent wave of financial attacks. The operation, known as “FASTCash”, has enabled Lazarus to fraudulently empty ATMs of cash. To make the fraudulent withdrawals, Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions.

Once these servers are compromised, previously unknown (Trojan.Fastcash) is deployed. This malware, in turn, intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.

According to the U.S. government alert, one incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries. In another major incident in 2018, cash was taken from ATMs in 23 separate countries. To date, the Lazarus FASTCash operation is estimated to have stolen tens of millions of dollars.

How FASTCash attacks work?

In order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious Advanced Interactive eXecutive (AIX) executable into a running, legitimate process on the switch application server of a financial transaction network, in this case a network handling ATM transactions. The malicious executable contains logic to construct fraudulent ISO 8583 messages. ISO 8583 is the standard for financial transaction messaging. The purpose of this executable has not been previously documented. It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity.

However, analysis by Symantec has found that this executable is in fact malware, which it has named Trojan.Fastcash.

Trojan.Fastcash has two primary functions:

It monitors incoming messages and intercepts attacker-generated fraudulent transaction requests to prevent them from reaching the switch application that processes transactions.

It contains logic that generates one of three fraudulent responses to fraudulent transaction requests.

Once installed on the server, Trojan.Fastcash will read all incoming network traffic, scanning for incoming ISO 8583 request messages. It will read the Primary Account Number (PAN) on all messages and, if it finds any containing a PAN number used by the attackers, the malware will attempt to modify these messages. How the messages are modified depends on each victim organization. It will then transmit a fake response message approving fraudulent withdrawal requests. The result is that attempts to withdraw money via an ATM by the Lazarus attackers will be approved.

The PAN numbers used to carry out the relate to real accounts. According to the US-CERT report, most accounts used to initiate the transactions had minimal account activity or zero balances. How the attackers gain control of these accounts remains unclear. It is possible the attackers are opening the accounts themselves and making withdrawal requests with cards issued to those accounts. Another possibility is the attackers are using stolen cards to perform the attacks.

In all reported FASTCash attacks to date, the attackers have compromised banking application servers running unsupported versions of the AIX operating system, beyond the end of their service pack support dates.

Get the day's headlines from Tech Observer straight in your inbox

By subscribing you agree to our Privacy Policy, T&C and consent to receive newsletters and other important communications.
Tech Observer Desk
Tech Observer Desk
Tech Observer Desk at TechObserver.in is a team of technology reporters led by a senior editor who brings latest updates and developments from the world of technology.
- Advertisement -
Reimagining Public Sector Analytics
Reimagining Public Sector Analytics
- Advertisement -Veeam
- Advertisement -Reimagining Public Sector Analytics
- Advertisement -ESDS SAP Hana

Subscribe to our Newsletter

83000+ Industry Leaders read it everyday

By subscribing you agree to our Privacy Policy, T&C and consent to receive newsletters and other important communications.
- Advertisement -

Nvidia stock performs better than Bitcoin as investment option: Study

Nvidia stock has emerged as a better investment than Bitcoin, demonstrating a significant rise in stock value compared to the digital currency.

RELATED ARTICLES