Attacks with the new FASTCash malware for Linux have been launched by North Korean hackers against financial organizations' Ubuntu 22.04 LTS-based payment switch systems to facilitate unauthorized ATM transactions, reports BleepingComputer.
After being installed on a payment switch server's running process through the 'ptrace' system call, FASTCash for Linux — which significantly resembled iterations of the malware for Windows and AIX — facilitates ISO8583 transaction message interception and alteration, according to cybersecurity researcher HaxRob, who discovered the updated variant. Bank approval of the manipulated messages, which specify amounts ranging from 12,000 and 30,000 Turkish Lira, would then enable ATM withdrawals by a money mule. Aside from the discovery of the Linux variant of FASTCash that has not yet been detected by VirusTotal, an updated Windows version has also been submitted by attackers, indicating the continued evolution of their toolset. Such a discovery comes after separate FASTCash ATM schemes since 2018 have been associated with the Lazarus Group, also known as Hidden Cobra and APT38.