FASTCash

FASTCash is a Trojan that hijacks ATM transactions for giving threat actors fraudulent withdrawal capabilities. Although its design doesn't threaten ATM customers, it compromises the issuing bank's security and lets the criminal withdraw any arbitrary amount of cash. Banking institutions can follow standard network security guidelines for reducing their infection risk and let anti-malware products intercept and delete FASTCash.

ATM Cash with No Questions Asked

There's more than one way of making money, which Lazarus (AKA Hidden Cobra), the threat actors responsible for the backdoor attacks of the HOPLIGHT Trojan, file-locker Trojan infections, and other campaigns, shows off as a matter of course. Many cyber-security reports focus on the customer-side of these attacks, such as the credential-collecting MagentoName JS-sniffer family that takes customer information while they're making purchases. However, FASTCash targets the opposite end of the transaction: the bank.

Threat actors drop FASTCash onto banking hardware that's running the payment switch application, which handles approving or denying ATM cash withdrawals. FASTCash runs as an executable that injects into default memory processes for hiding itself and intercepts all transaction requests. However, it only interferes with fraudulent ones that fit the template of Lazarus requests, according to the PAN number that's in use. The numbers are real, however, although malware researchers can't determine whether they're stolen accounts or new ones that the hackers are creating as-needed.

When it gets a fake withdrawing request, FASTCash responds with an approval, letting the threat actors take the cash. There are minor variants in this function that relate to different environments, and malware researchers believe that FASTCash is customizable for running smoothly inside the network of each banking institution that Lazarus is attacking.

Slowing Down the Pace of ATM Robbery

An especially important factor in FASTCash's different attacks is the feature that all victims share: outdated versions of the AIX operating system without any security update support. Modern versions of AIX will require new strategies from FASTCash's threat actors for enabling the Trojan's attacks. Regionally, FASTCash tends to appear most often in banks that operate in Asia and Africa, although there's are few technical reasons why Lazarus couldn't deploy a variant of the Trojan somewhere else.

Malware analysts strongly suspect the use of e-mail as the dominant infection vector for this threat. Phishing e-mail messages may use content that appeals to specific bank employees or regional workers, including invoices, job applications, reviewal notifications or news reports. Embedded Word macros are an exceptionally well-used exploit platform, although they require the victim's consent for loading. Most anti-malware programs should catch and remove FASTCash or its installers, even in these embedded formats.

By targeting the bankers' side of financial transactions, FASTCash keeps itself out of the spotlight that endangering large numbers of 'civilian' victims provokes. Whether or not it's an effective defensive tactic, in the long-term, FASTCash is making money.