North Korean threat actors have been observed using a Linux variant of a known malware family called FASTCash to steal funds as part of a financially-motivated campaign.
The malware is “installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs,” a security researcher who goes by HaxRob said.
FASTCash was first documented by the U.S. government in October 2018 as used by adversaries linked to North Korea in connection with an ATM cashout scheme targeting banks in Africa and Asia since at least late 2016.
“FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions,” the agencies noted at the time.
“In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.”
While prior FASTCash artifacts have systems running Microsoft Windows (including one spotted as recently as last month) and IBM AIX, the latest findings show that samples designed for infiltrating Linux systems were first submitted to the VirusTotal platform in mid-June 2023.
The malware takes the form of a shared object (“libMyFc.so”) that’s compiled for Ubuntu Linux 20.04. It’s designed to intercept and modify ISO 8583 transaction messages used for debit and credit card processing in order to initiate unauthorized fund withdrawals.
Specifically, it entails manipulating declined (magnetic swipe) transaction messages due to insufficient funds for a predefined list of cardholder account numbers and approving them to withdraw a random amount of funds in Turkish Lira.
The funds withdrawn per fraudulent transaction range from 12,000 to 30,000 Lira ($350 to $875), mirroring a Windows FASTCash artifact (“switch.dll”) previously detailed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.
“[The] discovery of the Linux variant further emphasizes the need for adequate detection capabilities which are often lacking in Linux server environments,” the researcher said.