Fast Cash MoneyQuick cash
How the Lazarus Group empties million of cash dispensers?
To enable their scam cashouts to cash machines, the attacker injects a vicious Advanced Interactive eXecutive (AIX) into an ongoing legitimately processed session on the switching applications servers of a finance payment networks, in this case an ATM processing system. Mean ing the execution file contains logical information to create deceptive 8583 message isocruses.
The ISO 8583 is the industry benchmark for reporting finance operations. Previously it was assumed that the hackers used scripting to tamper with legit computer programs on the servers to allow malicious activities. Fast cash has two main functions: Monitor your message and intercept malicious trade queries created by the remote user to stop them from accessing the switching applications that process them.
There is a logical structure that produces one of three deceptive reactions to deceptive transactions. Fast Cash reads all incoming system traffic and searches for incomming 8583 standard requirement notifications. Reads the Primary Account Number (PAN) on all mails, and if it finds a PAN number used by the attacker, the virus attempts to change those mails.
The way the news is changed will depend on the respective victims' organisation. There will then be a bogus reply notification, in which deceptive payout claims will be cleared. Consequently, an attempt to use an ATM to withdraw money from the Lazarus attacks is authorised. This is an example of the Trojan's answer logics.
Fast cash is used to create false answers. That particular example has the reasoning to build one of three bogus answers out of the three attempts to respond to the inbound spoof request: The message type display == 200 (ATM transaction) and point-of-service entry mode start with 90 (magnetic strip only): Otherwise, when the primary account number of attacking parties is blacklisted:
This case, the attacker appears to have a built-in ability to reject trades on the basis of their own black list of bank accounts. Fastcash, where each of them uses a different answer-system. Every option is designed for a specific type of payment processor and has its own tailor-made answer logics.
PAN numbers used to conduct FASTCash assaults refer to actual account numbers. It is not clear how the attacker will take complete command of these assets. The attacker may open the account himself and make a cashout request using a card that has been opened in that account. A further option is for the attacker to use counterfeit maps to conduct the attack.
For all previously announced cash FASTCattacks, the attacker compromise bank applications server with non-supported AIX OS releases beyond the end of their Fieldbus support data. Who' s Lazarus? The Lazarus is a very energetic group dealing with both cybercrime and spying. Originally, Lazarus was known for his participation in spying and a number of high-profile spoofs, among them the 2014 Sony Pictures assault, in which large quantities of information were taken and computer deleted by Malware.
Lazarus has also participated in financial assaults in recent years. The Lazarus was also associated with the eruption of wanna-cry rum rumble goods in May 2017. VannaCry integrated the leaky "EternalBlue" exploitation, which used two known Windows flaws (CVE-2017-0144 and CVE-2017-0145) to turn the resomware into a malware that could spread to all non-patched machines on the victim's computer system as well as other compromised machines attached to the web.
FASTCash's recent surge of attack shows that financial attack is not just a temporary interest for the Lazarus Group and can now be seen as one of its key businesses. Like the 2016 Voluntary Robbery Campaign, FASTCash shows that Lazarus has a deep understanding of financial messaging system and transactions logs, and the skills to use this understanding to rob large amounts of endangered financial institutions.
Lazarus, in a nutshell, remains a serious menace to the finance industry and companies should take all necessary action to make sure that their payments system is up to date and secure. Often, an update of your application contains a patch for a vulnerability that could be compromised by an attacker.
For all previously announced cash FASTCattacks, the attacker compromise bank applications server with non-supported AIX OS releases beyond the end of their Fieldbus Service Pack data.