Linux Version of FASTCash Malware Used in ATM Attacks

North Korean hackers are deploying a new Linux variant of the FASTCash malware to infect payment switching systems at financial institutions and illegally withdraw cash from ATMs. Previous versions of FASTCash targeted Windows systems and IBM AIX (Unix), but a recent report by cybersecurity researcher HaxRob has revealed a previously unknown Linux version aimed at Ubuntu 22.04 LTS distributions.

Experts first warned about the FASTCash ATM cash-out scheme back in 2018, attributing the activity to the North Korean hacking group Hidden Cobra. Reports indicate that FASTCash has been used to empty ATMs in Asian and African countries since at least 2016. In 2017, cash was withdrawn from ATMs in 30 countries simultaneously, and another incident in 2018 saw hackers drain ATMs in 23 more countries worldwide.

In 2020, the U.S. Cyber Command highlighted the renewed threat, linking it to FASTCash 2.0 and the APT38 (Lazarus) group. A year later, three North Korean nationals were charged for their alleged involvement in these schemes, which resulted in the theft of over $1.3 billion from financial organizations globally.

Details of the New Linux Variant

The latest variant spotted by HaxRob first appeared on VirusTotal in June 2023. The researcher notes that it shares similarities with previous Windows and AIX versions. The new FASTCash is implemented as a shared library that is injected into a running process on the server using the ptrace system call, hooking into its network functions.

The targeted switches act as intermediaries, connecting ATMs, point-of-sale (PoS) terminals, and banks’ central systems by routing transaction requests and responses. The malware intercepts and manipulates ISO8583 transaction messages, which are used in the financial industry for processing debit and credit card transactions.

Specifically, FASTCash intercepts messages related to transactions that have been declined due to insufficient funds in the cardholder’s account, replacing the “decline” response with an “approve” response. The altered message also includes a random amount between 12,000 and 30,000 Turkish lira (approximately $350–$875 USD) to authorize the requested transaction.

Once this message, containing approval codes (DE38, DE39) and the amount (DE54), is sent back to the bank’s system, the bank approves the transaction, and a money mule working with the hackers withdraws the cash from the ATM.

Detection and Ongoing Development

At the time the Linux variant of FASTCash appeared on VirusTotal, it was not detected by security solutions, meaning the malware successfully bypassed most standard security mechanisms and allowed hackers to operate undisturbed.

HaxRob also reports that an updated version of FASTCash for Windows was spotted on VirusTotal in September 2024, indicating that the attackers are actively developing other parts of their toolkit as well.