The FASTCASH scheme is a dangerous ATM cash-out scheme that is being used by the Lazarus hackers group. This criminal collective is prolific at launching advanced attack campaigns against high-profile targets. Our article sums up their latest attacks which extracts money from ATM machines.
The Lazarus Hackers Are Behind the Ongoing FASTCASH Scheme Attacks
The US-CERT center has published a joint advisory with DHS, The FBI and the Treasury about widespread abuse of the FASTCASH scheme which allows criminals to cash-out ATM machines. This hacking group is well-known for conducting high-profile attacks using complex code — custom-made tools that are created specifically for the targets. The undergone research shows that they have been abusing the FASTCASH technique since at least 2016 against banking targets.
Security experts examined 10 samples of malware containing FASTCASH code. They are devised to intrude the SWIFT servers that process transactions and manipulate the messages. As a result of this the behavior of the ATM machines will be altered. The analysis shows that the Lazarus hackers have it possible to simultaneously withdrawn funds from machines located in 23 different countries.The reason why the SWIFT servers are manipulated is that they validate the bank account details of the target users. Manipulations of this data can lead to the withdrawal of their funds.
The FASTCASH technique is deployed to the application servers via scripts that take advantage of vulnerabilities. Once the intrusions are done the malicious code will intercept and reply to the financial messages coming in from the ATM machines and craft its own replies. The responses will follow the established norms and structure. This means that the hackers have advanced knowledge of how the protocols and standards are processed.
One of the reasons why the attacks are successful is that the compromised application servers were running unsupported operating system versions, specifically IBM AIX (Advanced Interactive eXecutive) which is as popular UNIX choice for enterprise clients. The analysis also shows that most of the accounts that are used to initiate the transactions had a minimal activity or zero balances. So far the confirmed cases of this technique are banks in Africa and Asia. USA government experts are investigating reported incidents to see if they are linked to FASCASH and the Lazarus hackers.
The source of infections are believed to be scam messages coming in through email messages or Internet sites. The targets were sent messages or redirected to sites that are designed to appear as legitimate sources. An executable file is the primary payload which leads to the malware infection.
Given the complexity of this case and the advanced knowledge of the Lazarus hackers we expect that other campaigns are forthcoming.