North Korean hackers use newly discovered Linux malware to raid ATMs
In the beginning, North Korean hackers compromised the banking infrastructure running AIX, IBM’s proprietary version of Unix. Next, they hacked infrastructure running Windows. Now, the state-backed bank robbers have expanded their repertoire to include Linux.
The malware, tracked under the name FASTCash, is a remote access tool that gets installed on payment switches inside compromised networks that handle payment card transactions. The US Cybersecurity and Infrastructure Security Agency first warned of FASTCash in 2018 in an advisory that said the malware was infecting AIX-powered switches inside retail payment networks. In 2020, the agency updated its guidance to report FASTCash was now infecting switches running Windows as well. Besides embracing Windows, FASTCash had also expanded its net to include not just switches for retail payments but those handled by regional interbank payment processors as well.
Tampering with transaction messages on the fly
Over the weekend, a researcher reported finding two samples of FASTCash for switches running on Linux. One sample is compiled for Ubuntu Linux 20.04 and was likely developed sometime after April 21, 2022. The other sample was likely not used. As of the time this post went live, only four anti-malware engines detected each sample. The number of detections as of Sunday was zero. The Linux version was uploaded to VirusTotal in June 2023.