North Korean hackers are using a new Linux variant of the FASTCash malware to infect the payment switch systems of financial institutions and perform unauthorized cash withdrawals.
Previous variants of FASTCash targeted Windows and IBM AIX (Unix) systems, but a new report by security researcher HaxRob reveals a previously undetected Linux version that targets Ubuntu 22.04 LTS distributions.
CISA first warned about the FASTCash ATM cash-out scheme in December 2018, attributing the activity to the state-backed North Korean hacking group known as ‘Hidden Cobra.’
According to the agency’s investigations, the threat actors have been using FASTCash in operations since at least 2016, stealing tens of millions of dollars per incident in simultaneous ATM withdrawal attacks in 30 countries or more.
In 2020, the U.S. Cyber Command highlighted the threat once again, linking the revived FASTCash 2.0 activity to APT38 (Lazarus).
A year later, indictments were announced for three North Koreans allegedly involved in these schemes, responsible for the theft of over $1.3 billion from financial institutes worldwide.
