On October 2, 2018, an alert was issued by US-CERT, the Department of Homeland Security, the Department of the Treasury, and the FBI. According to this new alert, Hidden Cobra (the U.S. government’s code name for Lazarus) has been conducting “FASTCash” attacks stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016.

 

Lazarus is a very active attack group involved in both cyber crime and espionage. The group was initially known for its espionage operations and a number of high-profile disruptive attacks, including the 2014 attack on SONY Pictures. More recently, Lazarus has also become involved in financially motivated attacks, including an US$81 million dollar theft from the Bangladesh Central Bank and the WannaCry ransomware.

 

Symantec has now uncovered the key component used in the group’s recent wave of financial attacks. The operation, known as “FASTCash” has enabled Lazarus to fraudulently empty ATMs of cash. To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions.

 

Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.

 

According to the U.S. government alert, one incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries. In another major incident in 2018, cash was taken from ATMs in 23 separate countries. To date, the Lazarus FASTCash operation is estimated to have stolen tens of millions of dollars.

 

How FASTCash attacks work – Details
In order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious Advanced Interactive eXecutive (AIX) executable into a running, legitimate process on the switch application server of a financial transaction network, in this case an ATM network. The malicious executable contains logic to construct fraudulent ISO 8583 messages. ISO 8583 is the standard for financial transaction messaging. The purpose of this executable has not been previously documented. It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity.

 

However, analysis by Symantec has found that this executable is in fact malware, which we have named Trojan.Fastcash, which has two primary functions:

 

    1. It monitors incoming messages and intercepts attacker-generated
      fraudulent transaction requests to prevent them from reaching the switch
      application that processes transactions.
    2. It monitors incoming messages and intercepts attacker-generated
      fraudulent transaction requests to prevent them from reaching the switch
      application that processes transactions.

 

Once installed on the server, Trojan.Fastcash will read all incoming network traffic, scanning for incoming ISO 8583 request messages. It will read the Primary Account Number (PAN) on all messages and, if it finds any containing a PAN number used by the attackers where the Message Type Indicator (MTI) is “0x100 Authorization Request from Acquirer,” it will block the message from going any further. It will then transmit a fake response message approving fraudulent withdrawal requests. The result is that attempts to withdraw money via an ATM by the Lazarus attackers will be approved.

 

Here is one example of the response logic that Trojan.Fastcash uses to generate fake responses. This particular sample has logic to construct one of three fake responses based on the incoming attacker request:

 

If (Processing Code == 010000):
Response code = 51

 

If (Processing Code == 300000): Response code = 00
Amount = Randomly computed number

 

All other Processing Codes:
Response code = 51

 

Symantec has found several different variants of Trojan.Fastcash, each of which uses a different response logic. It is unclear at present why differing response logic is used. It may be the case that each variant is tailored for a particular bank.

 

In all known FASTCash attacks to date, the attackers have compromised banking application servers running unsupported versions of the AIX operating system, beyond the end of their service pack support dates.

 

Who is Lazarus?
Lazarus is a very active group involved in both cyber crime and espionage. Lazarus was initially known for its involvement in espionage operations and a number of high-profile disruptive attacks, including the 2014 attack on SONY Pictures that saw large amounts of information being stolen and computers wiped by malware.

 

In recent years, Lazarus has also become involved in financially motivated attacks. The group was linked to the $81 million theft from the Bangladesh central bank in 2016, along with a number of other bank heists.

 

Lazarus was also linked to the WannaCry ransomware outbreak in May 2017. WannaCry incorporated the leaked “EternalBlue” exploit that used two known vulnerabilities in Windows (CVE-2017-0144 and CVE-2017-0145) to turn the ransomware into a worm, capable of spreading itself to any unpatched computers on the victim’s network and also to other vulnerable computers connected to the internet. Within hours of its release, WannaCry had infected hundreds of thousands of computers worldwide.

 

Conclusion
The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities.

 

As with the 2016 series of virtual bank heists, including the Bangladesh Bank heist, FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks.

 

In short, Lazarus continues to pose a serious threat to the banking sector and organizations should take all necessary steps to ensure that their payment systems are fully secured.

 

Protection/Mitigation
Symantec has the following protections in place to protect customers against Lazarus FASTCash attacks:

 

 

Indicators of Compromise

 

D465637518024262C063F4A82D799A4E40FF3381014972F24EA18BC23C3B27EE

(Trojan.Fastcash Injector)

 

CA9AB48D293CC84092E8DB8F0CA99CB155B30C61D32A1DA7CD3687DE454FE86C

(Trojan.Fastcash DLL)

 

10AC312C8DD02E417DD24D53C99525C29D74DCBC84730351AD7A4E0A4B1A0EBA

(Trojan.Fastcash DLL)

 

3A5BA44F140821849DE2D82D5A137C3BB5A736130DDDB86B296D94E6B421594C

(Trojan.Fastcash DLL)

 


RECOMMENDED ARTICLE FOR TECHWORLD


 
Team Group Leads Industry with MoStash Reader for iOS and the WC0C Charging Cable with 3-in-1 Connector
Techworld Date Posted: 8 September 2017 1:29 PM | 235 Views
September 7th, 2017, Taipei, Taiwan - Team Group is continuously dedicated to satisfying the needs of our consumers in every aspect so today Team Group announces the latest mobile peripherals with rich features with.... See More
 
Team Group Leads Industry with MoStash Reader for iOS and the WC0C Charging Cable with 3-in-1 Connector
Techworld Date Posted: 1:29 PM | 235 Views
September 7th, 2017, Taipei, Taiwan - Team Group is continuously dedicated to satisfying the needs of our consumers in every aspect so today Team Group announces the latest mobile peripherals with rich features with...See More

 
ADATA XPG SPECTRIX D80 RGB Memory Module with Liquid Nitrogen Cooling Hits 5531MHz Mark
Techworld Date Posted: 1 June 2018 10:45 AM | 394 Views
ADATA® Technology, a leading manufacturer of high-performance DRAM modules and NAND Flash products, announces that it has overclocked its XPG SPECTRIX D80 RGB DDR4 memory module to 5531MHz in a liquid-nitrogen-cooled configuration. . See More
 
ADATA XPG SPECTRIX D80 RGB Memory Module with Liquid Nitrogen Cooling Hits 5531MHz Mark
Techworld Date Posted: 10:45 AM | 394 Views
ADATA® Technology, a leading manufacturer of high-performance DRAM modules and NAND Flash products, announces that it has overclocked its XPG SPECTRIX D80 RGB DDR4 memory module to 5531MHz in a liquid-nitrogen-cooled configuration. See More

 
Lenovo Addresses Shifting Workspace Needs
Techworld Date Posted: 23 March 2018 1:11 PM | 356 Views
Lenovo (HKSE: 992) (ADR: LNVGY), the world’s leading PC manufacturer, launched its 8th-generation Lenovo ThinkPads and ThinkStations–specifically designed to provide enhanced agility and performance to support the ever-evolving workspace spurred by millennial workers.. See More
 
Lenovo Addresses Shifting Workspace Needs
Techworld Date Posted: 1:11 PM | 356 Views
Lenovo (HKSE: 992) (ADR: LNVGY), the world’s leading PC manufacturer, launched its 8th-generation Lenovo ThinkPads and ThinkStations–specifically designed to provide enhanced agility and performance to support the ever-evolving workspace spurred by millennial workers.See More

 
It’s Raining Pies! Nokia 6.1 Plus and Nokia 6.1 Upgrade to Android™ 9 Pie
Techworld Date Posted: 12 November 2018 4:22 PM | 170 Views
Packed with Google’s newest software and building on the features of Android™ 8.0 Oreo™, Android™ 9 Pie features artificial intelligence and machine learning to give owners a more customized and tailored experience.. See More
 
It’s Raining Pies! Nokia 6.1 Plus and Nokia 6.1 Upgrade to Android™ 9 Pie
Techworld Date Posted: 4:22 PM | 170 Views
Packed with Google’s newest software and building on the features of Android™ 8.0 Oreo™, Android™ 9 Pie features artificial intelligence and machine learning to give owners a more customized and tailored experience.See More

 
Nokia 8 Takes Its First Bite of Oreo™
Techworld Date Posted: 28 November 2017 10:24 AM | 251 Views
HMD Global, the home of Nokia phones, is excited to announce that Android™ 8.0 Oreo™ is now available for the Nokia 8. . See More
 
Nokia 8 Takes Its First Bite of Oreo™
Techworld Date Posted: 10:24 AM | 251 Views
HMD Global, the home of Nokia phones, is excited to announce that Android™ 8.0 Oreo™ is now available for the Nokia 8. See More

 
Symantec Introduces Advanced EDR Tools and Fully-Managed Service to Stop the Most Dangerous Cyber Threats
Techworld Date Posted: 13 February 2019 9:39 AM | 75 Views
Symantec Corp. (NASDAQ: SYMC), the world’s leading cyber security company, has announced a new Managed Endpoint Detection and Response (MEDR) service and enhanced EDR 4.0 technology.. See More
 
Symantec Introduces Advanced EDR Tools and Fully-Managed Service to Stop the Most Dangerous Cyber Threats
Techworld Date Posted: 9:39 AM | 75 Views
Symantec Corp. (NASDAQ: SYMC), the world’s leading cyber security company, has announced a new Managed Endpoint Detection and Response (MEDR) service and enhanced EDR 4.0 technology.See More

 
Maynilad Water Services named Philippines’ “Digital Transformer of the Year” at IDC’s Digital Transformation Awards (Dxa)
Techworld Date Posted: 22 November 2017 5:05 PM | 442 Views
  IDC concluded its 11-month search for the Philippines’ best digital transformation (DX) initiatives, naming Maynilad Water Services Inc. as the 2017 “Digital Transformer of the Year” in the inaugural run of IDC DX.... See More
 
Maynilad Water Services named Philippines’ “Digital Transformer of the Year” at IDC’s Digital Transformation Awards (Dxa)
Techworld Date Posted: 5:05 PM | 442 Views
  IDC concluded its 11-month search for the Philippines’ best digital transformation (DX) initiatives, naming Maynilad Water Services Inc. as the 2017 “Digital Transformer of the Year” in the inaugural run of IDC DX...See More

 
Kaspersky Lab Report on DDoS Attacks in Q1 2017: The Lull before the Storm
Techworld Date Posted: 27 May 2017 2:55 PM | 245 Views
The first quarter of 2017 has confirmed the forecasts about the evolution of DDoS attacks made by Kaspersky Lab experts following the 2016 results. It also demonstrates that cybercriminals need a rest too. Despite the.... See More
 
Kaspersky Lab Report on DDoS Attacks in Q1 2017: The Lull before the Storm
Techworld Date Posted: 2:55 PM | 245 Views
The first quarter of 2017 has confirmed the forecasts about the evolution of DDoS attacks made by Kaspersky Lab experts following the 2016 results. It also demonstrates that cybercriminals need a rest too. Despite the...See More

 
Skygofree: Highly Advanced, Powerful Android Surveillance Software Active since 2014
Techworld Date Posted: 26 January 2018 9:48 AM | 267 Views
Kaspersky Lab researchers have uncovered an advanced mobile implant, active since 2014 and designed for targeted cyber-surveillance, possibly as an ‘offensive security’ product. . See More
 
Skygofree: Highly Advanced, Powerful Android Surveillance Software Active since 2014
Techworld Date Posted: 9:48 AM | 267 Views
Kaspersky Lab researchers have uncovered an advanced mobile implant, active since 2014 and designed for targeted cyber-surveillance, possibly as an ‘offensive security’ product. See More

 
Realme Philippines Offers Wide-Activities for Lazada 12.12 Including Whole-Day Sale of Php5,490 for Realme C1
Techworld Date Posted: 10 December 2018 1:34 PM | 175 Views
The Realme C1, the #RealEntryLevelKing, redefines the benchmark for entry-level smartphones, packing software and hardware features previously not available in devices in the same price segment.. See More
 
Realme Philippines Offers Wide-Activities for Lazada 12.12 Including Whole-Day Sale of Php5,490 for Realme C1
Techworld Date Posted: 1:34 PM | 175 Views
The Realme C1, the #RealEntryLevelKing, redefines the benchmark for entry-level smartphones, packing software and hardware features previously not available in devices in the same price segment.See More


Power by

Download Free AZ | Free Wordpress Themes