Threat Brief: FASTCash ATM Cash Out Tactics
October 12th, 2018
FASTCash is an ATM cash-out method utilized by the North Korean APT, Hidden Cobra. This method revolves around compromising payment switch servers and facilitating malicious transactions. Threat actors target the retail payment system infrastructure within banks that intercepts fraudulent ATM calls and enables cash withdrawals across national borders. Hidden Cobra exploited the targeted systems by using their knowledge of ISO 8583, the International Standards Organization’s standard for financial transaction messaging.
Since 2016, Hidden Cobra has used FASTCash to attack financial institutions in Africa and Asia. It is estimated that Hidden Cobra actors have stolen tens of millions of dollars and enabled cash to be simultaneously withdrawn from ATMs located in over 30 countries.
Although the infection vector is unknown, initial infiltration is most likely achieved through social engineering and tailored spear-phishing against bank employees. After deploying a backdoor and gaining a foothold inside the targeted network, the actors harvest credentials and move laterally inside the network in order to gain access to the payment switch server.
All of the successfully compromised switch servers were running IBM Advanced Interactive Executive (AIX) operating systems no longer supported by vendors. This allowed Hidden Cobra to deploy ISO 8583 libraries with export functions, which allows it to perform transactions on financial systems. Threat actors use these libraries to help interpret financial request messages and successfully construct fraudulent financial response messages. The threat actors intercept financial request messages for specific primary account numbers (PANs) and block transaction messages to stop denial messages from leaving the switch. They then use the deployed libraries to approve the fraudulent transactions.
Hidden Cobra actors use different malware for each known campaign, but the malicious applications used in those campaigns have similar capability and functionality.
Here are malware examples used in the latest FASTCash campaign:
After initial infiltration, most likely by the means of spear-phishing, the hackers proceed to deploy payloads in a modular fashion, according to the environment they were able to compromise.
They begin with delivering a Themida-packed 32-bit or 64-bit Windows executable. This executable is capable of modifying Firewall settings to open a backdoor, installing a proxy server application, harvesting credentials and downloading secondary payloads if needed.
When the targeted payment switch server is located, and enough data has been gathered to access it, the malicious actors deploy Advanced Interactive Executive (AIX) executables. Those files are intended for a proprietary UNIX operating system developed by IBM and allow the attacker to execute code injections and provide the functionality to perform transactions on financial systems using the ISO8583 standard.
Hidden Cobra’s Activity Against Financial Organizations
|Date||Targeted Entity||Country||Total Amount Stolen|
|December 2015||TPBank||Vietnam||Attempted $1.36 Million (All Recovered)|
|February 2016||Central Bank of Bangladesh||Bangladesh||Attempted $951 Million ($81M Stolen)|
|October 2017||NIC Asia Bank||Nepal||Attempted $4.4 Million ($500k Stolen)|
|October 2017||FEIB||Taiwan||Attempted $60 Million ($500k Stolen)|
|January 2018||Bancomext||Mexico||Attempted $110 Million (All Recovered)|
|May 2018||Banco de Chile||Chile||$10 Million Stolen|
Financial Services Threat Landscape Report (July 2018)
Andrey Yakovlev is a Security Researcher at IntSights, focused on intelligence hunting from the Russian Dark Web. He is an experienced professional with over 6 years of experience in the cyber security field. Andrey specializes in threat discovery, computer forensics and behavioral analysis of Trojans.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.