Researchers reveal the malware used by North Korean hackers to attack ATMs

Share this…

The Lazarus hackers have been using the FastCash Trojan on obsolete AIX servers to steal tens of millions of dollars

The researchers of the information security and digital forensics firm Symantec have discovered the malware tool that Lazarus, North Korea’s famous hacker group, has been using for a couple of years to steal millions of dollars in cash from ATMs belonging to small and medium-sized banks established in Africa and Asia.

In a report released a few days ago, the cybersecurity firm described malware as “a tool designed to intercept and approve fraudulent cash withdrawal applications in ATMs before they reach the server underlying switching applications from the bank that processes them.”

This malware is an executable file that can be injected into a legitimate process on the application servers running IBM’s AIX operating system. All of the application servers that the Lazarus hackers have managed to compromise with this malware were running unsupported versions of AIX, mentions the security report.

“Theft not only affects banks, but any organization running a production environment with obsolete or unsupported equipment and software,” says Jon DiMaggio, chief of intelligence at Symantec.

The financial loss and media strike that accompanies the Lazarus attacks far outweigh the cost of updating the obsolete infrastructure. “At the very least, financial institutions must use updated and compatible systems and software to minimize the risk of monetary losses and confidential customer data,” as considered by specialist in cybersecurity and digital forensics from the International Institute of Cyber Security.

In a notice released on October 2, the FBI, the Department of Homeland Security (DHS) and the US Treasury Department mentioned that the attacks of the FatCash campaign, as it is known in America, has represented costs for banks of even tens of million dollars. The notice reported two incidents in particular, one in 2017 and the other in 2018, where the Lazarus hackers perpetrated simultaneous cash withdrawals in ATMs throughout over 20 countries.

According to the notice, in each of the multiple attacks of Lazarus, the hacker group configured and implemented legitimate scripts on the application’s servers to intercept and respond to fraudulent ATM withdrawal requests.

But Symantec’s research has shown that the executable that allows fraudulent activity is, in fact, a malware. Symantec has baptized malware as ‘Trojan.Fastcash’, mentioning that it complies with two main functions.

According to specialists in digital forensics and cybersecurity, one of these functions is to monitor and read the main account number (PAN) in all incoming ATM traffic. The malware is designed to block all the traffic that contains the PANs previously identified as belonging to the attackers. It then generates a fake response that approves the fraudulent request, so the attackers ensure that their fraudulent applications will succeed.

Hackers decided to attack smaller banks with fewer technological resources in places like Asia and Africa; maybe because larger financial institutions would probably have better security measures, as DiMaggio considers. “The vulnerable version of the AIX server was simply what was in the environment that the attacker was addressing. It was not the driving force of the attack, but a characteristic of the specific environment that the attacker had access to,” the expert says.