Threat Brief: FASTCash ATM Cash Out Tactics

FASTCash is an ATM cash-out method utilized by the North Korean APT, Hidden Cobra. This method revolves around compromising payment switch servers and facilitating malicious transactions. Threat actors target the retail payment system infrastructure within banks that intercepts fraudulent ATM calls and enables cash withdrawals across national borders. Hidden Cobra exploited the targeted systems by using their knowledge of ISO 8583, the International Standards Organization’s standard for financial transaction messaging.

Since 2016, Hidden Cobra has used FASTCash to attack financial institutions in Africa and Asia. It is estimated that Hidden Cobra actors have stolen tens of millions of dollars and enabled cash to be simultaneously withdrawn from ATMs located in over 30 countries.

Technical Details

Although the infection vector is unknown, initial infiltration is most likely achieved through social engineering and tailored spear-phishing against bank employees. After deploying a backdoor and gaining a foothold inside the targeted network, the actors harvest credentials and move laterally inside the network in order to gain access to the payment switch server.

All of the successfully compromised switch servers were running IBM Advanced Interactive Executive (AIX) operating systems no longer supported by vendors. This allowed Hidden Cobra to deploy ISO 8583 libraries with export functions, which allows it to perform transactions on financial systems. Threat actors use these libraries to help interpret financial request messages and successfully construct fraudulent financial response messages. The threat actors intercept financial request messages for specific primary account numbers (PANs) and block transaction messages to stop denial messages from leaving the switch. They then use the deployed libraries to approve the fraudulent transactions.

Latest TTPs

Hidden Cobra actors use different malware for each known campaign, but the malicious applications used in those campaigns have similar capability and functionality.

Here are malware examples used in the latest FASTCash campaign:

After initial infiltration, most likely by the means of spear-phishing, the hackers proceed to deploy payloads in a modular fashion, according to the environment they were able to compromise.

They begin with delivering a Themida-packed 32-bit or 64-bit Windows executable. This executable is capable of modifying Firewall settings to open a backdoor, installing a proxy server application, harvesting credentials and downloading secondary payloads if needed.

When the targeted payment switch server is located, and enough data has been gathered to access it, the malicious actors deploy Advanced Interactive Executive (AIX) executables. Those files are intended for a proprietary UNIX operating system developed by IBM and allow the attacker to execute code injections and provide the functionality to perform transactions on financial systems using the ISO8583 standard.

Hidden Cobra’s Activity Against Financial Organizations
DateTargeted EntityCountryTotal Amount Stolen
December 2015TPBankVietnamAttempted $1.36 Million (All Recovered)
February 2016Central Bank of Bangladesh BangladeshAttempted $951 Million ($81M Stolen)
October 2017 NIC Asia BankNepalAttempted $4.4 Million ($500k Stolen)
October 2017 FEIBTaiwan Attempted $60 Million ($500k Stolen)
January 2018 BancomextMexicoAttempted $110 Million (All Recovered)
May 2018 Banco de ChileChile$10 Million Stolen

Campaign IOCs

Hashes

  • 5cfa1c2cb430bec721063e3e2d144feb
  • 5c0a4f9e67ced69eaea17092444b2c1a
  • 4f67f3e4a7509af1b2b1c6180a03b3e4
  • 02959903cd988443e5ef519d556b34b0
  • d0a8e0b685c2ea775a74389973fc92ca
  • 8efaabb7b1700686efedadb7949eba49
  • b3efec620885e6cf5b60f72e66d908a9
  • d790997dd950bb39229dc5bd3c2047ff
  • 844eec0ff86c10f5f9b41648b066563b
  • 58bb2236e5aee39760d3e4fc6ee94a79
  • b66be2f7c046205b01453951c161e6cc
  • 46b318bbb72ee68c9d9183d78e79fb5a

IP Address

  • 75.99.63.27

Further Reading

IntSights_Financial_Services_Landscape_Cover


Financial Services Threat Landscape Report (July 2018)

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.