A recent cyber campaign conducted by North Korean threat actors involves the use of a Linux variant of the malware family known as “FASTCash,” which is primarily financially motivated.
The FASTCash malware, identified as a payment switch malware, was first observed by the US government in October 2018 when it was utilized by North Korean adversaries in an ATM scheme targeting banks in Africa and Asia.
Since its initial discovery, the campaign has evolved significantly. It can now target banks using Windows Server for their switch application and has expanded to include interbank payment processors in its scope.
While previous versions of the malware focused on Microsoft Windows and IBM AIX systems, the latest findings indicate that it has been adapted to infiltrate Linux systems.
The FASTCash malware manipulates ISO 8583 transaction messages used in debit and credit card transactions to make unauthorized withdrawals, including approving declined transactions due to insufficient funds to withdraw money in Turkish currency.
Researchers have highlighted the importance of implementing cybersecurity measures such as chip and PIN requirements for debit cards, verifying message authentication codes, and performing authorization response cryptogram validation to prevent exploitation attempts.