In addition to its 2014 attack on Sony Pictures, the Lazarus Group, also known as Hidden Cobra, has been attacking the ATMs of Asian and African banks since 2016, and today Symantec revealed that the group has been successful in its “FASTCash” operations by first targeting the banks' networks.
“The operation known as 'FASTCash' has enabled Lazarus, to fraudulently empty ATMs of cash. To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions,” Symantec wrote in today’s blog post.
“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.”
By injecting a malicious Advanced Interactive eXecutive (AIX) executable into a legitimate process on the switch application of the network that handles ATM transactions, the attacker is able to monitor incoming messages and intercept fraudulent, attacker-generated transaction requests, preventing them from reaching the switch application.
The malware also contains logic that generates one of three responses to the attacker-generated transaction requests, according to Symantec.
In early October, the Department of Homeland Security (DHS), in combination with the Department of the Treasury (Treasury) and the FBI, identified malware used by the North Korean-linked hacking group, renowned for its cyber-espionage operations, in a US-CERT alert.
According to the alert, the FASTCash schemes “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The US Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.”
On the heels of the US-CERT report, Symantec uncovered the successful tactics used in the financially motivated attacks that allowed Lazarus to steal tens of millions of dollars from ATMs in over 30 different countries. Highly successful and motivated by their continued success and financial earnings, the Lazarus Group poses serious threats to the financial sector, particularly as these FASTCash attacks are not considered part of the group’s core activities.