FastCash: This is how Lazarus has been stealing money millions from global ATMs

• The North Korean hacker group has been stealing from ATM machines across Asia and Africa since 2016.
• Lazarus breaches a targeted bank’s networks and attacks the switch applications servers handling ATM transactions to empty out cash machines.

The notorious North Korean hacker group Lazarus has been observed in a fresh campaign dubbed FastCash, which is aimed at stealing funds from ATMs. According a recent report by the US-CERT, the North Korean hacker group has been stealing from ATM machines across Asia and Africa since 2016.

However, the FastCash campaign indicates that Lazarus is nowhere near hanging up its boots. According to security experts at Symantec, who discovered and traced the FastCash campaign, Lazarus breaches a targeted bank’s networks and attacks the switch applications servers handling ATM transactions to empty out cash machines.

“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware, in turn, intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs,” Symantec researchers said in a report.

A deep dive into Lazarus’ previous ATM attacks

Lazarus is known for its bold attacks - the group is believed to have orchestrated the 2014 Sony hack the 2016 Bangladesh bank heist and the 2017 WannaCry ransomware outbreak.

According to the US-CERT, in one incident that took place in 2017, Lazarus stole money from ATMs located in 30 different countries simultaneously. In another similar attack that occurred in 2018, the hackers stole from ATMs in 23 different nations. Experts estimate that the hacker group may have raked in tens of millions of dollars from these attacks.

Fastcash malware

Lazarus installs the Fastcash malware into a running, legitimate process on the switch application server of a targeted bank’s network. The Fastcash malware has two main functions - to monitor incoming messages and intercept the attacker-generated fraudulent transactions.

“Once installed on the server, Trojan.Fastcash will read all incoming network traffic, scanning for incoming ISO 8583 request messages. It will read the Primary Account Number (PAN) on all messages and, if it finds any containing a PAN number used by the attackers, the malware will attempt to modify these messages. How the messages are modified depends on each victim organization,” Symantec researchers said. “It will then transmit a fake response message approving fraudulent withdrawal requests. The result is that attempts to withdraw money via an ATM by the Lazarus attackers will be approved.”

The researchers found several variants of the Fastcash malware, each of which uses a different response logic. The researchers believe that each of the variants is customized for a particular transactions processing network and therefore has its own tailored logic response.

“The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities,” Symantec researchers added. “As with the 2016 series of virtual bank heists, including the Bangladesh Bank heist, FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks.”