Cybersecurity experts have discovered a new Linux version of the notorious FASTCash malware, which North Korean hackers have been using to steal funds in sophisticated ATM heists. This variant targets payment switches within compromised banking networks, enabling unauthorized cash withdrawals from ATMs.
Originally documented by U.S. authorities in 2018, FASTCash schemes have been tied to North Korean cyber actors and have been active since at least 2016.
These attacks have targeted banks in Africa and Asia, compromising payment switch servers to process fraudulent transactions. Notably, in 2017, a major incident involved simultaneous ATM withdrawals across over 30 countries, and another event in 2018 saw similar attacks across 23 nations.
Until recently, the FASTCash malware targeted systems running on Microsoft Windows and IBM AIX. However, the latest discovery shows the malware now infects Linux-based systems, specifically designed for Ubuntu Linux 20.04.
The malware, submitted to VirusTotal in June 2023, takes the form of a shared object file named “libMyFc.so.” It manipulates ISO 8583 transaction messages, which are integral to card processing systems, to approve fraudulent withdrawals for predefined cardholder accounts. These attacks focus on declined transactions due to insufficient funds and alter them to allow unauthorized cashouts.
The fraudulent withdrawals, ranging from 12,000 to 30,000 Turkish Lira ($350 to $875), mirror previous Windows-based FASTCash attacks. The emergence of this Linux variant highlights a growing vulnerability in Linux server environments, where detection capabilities are often insufficient to combat such threats.
To prevent attacks like FASTCash, financial institutions must strengthen their defenses, especially in Linux environments where vulnerabilities are often overlooked. Implementing advanced threat detection tools, conducting regular security audits, and ensuring that payment switch servers are adequately monitored can reduce the risk of unauthorized access.
