A new Trojan has been discovered in the on-going FASTCash cyber espionage campaign funded by North Korean government.
Release Date: November 20th, 2018
The Lazarus hacker group funded by the North Korean government is a predator for the financial sector, targeting major banks in Africa and Asia. It first breaches the target bank’s network and compromises the switch application server handling the ATM transactions. Also known as the Hidden Cobra, the Lazarus group is associated with the on-going FASTCash campaign stealing tens of millions of dollars in multiple ATM attacks across the continents.
In 2017 alone, Lazarus targeted ATMs in more than 30 countries, whereas in 2018 it compromised banks of 23 countries, simultaneously. Recently, a new Trojan has been found that’s being used in the FASTCash campaigns.
The initial attack vector used by Lazarus isn’t confirmed. However, traces have been retrieved of the usage of a malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”.
It seems that the Hidden Cobra attackers initially used a Windows-based malware to explore a bank’s network to identify the payment switch application server. Researchers have found that all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates. Therefore, AIX could be the possible exploit, however, no evidence has been found that proves exploitation of the AIX operating system in these attacks.
Although each known incident has a different malware associated with it, a detailed analysis of malware samples gathered through these attacks suggests similarities between malware features and capabilities.
Analysts predict that the attacks were initiated with spear-phishing emails against bank employees, which led to compromise of the bank’s network.
There are multiple versions of the Fastcash Trojan, each of which appears to have been customized for different transaction processing networks. The samples are associated with legitimate primary account numbers, or PANs – the 14 or 16-digit numerical strings found on bank and credit cards that identify a card issuer and account number.
The malicious code inserted by Lazarus attackers searched for references tied to attacker-controlled accounts, then returned fraudulent information about those accounts in response to balance inquiries made by the Switch application server.
In simpler words, the validation requests prior to cash withdrawal did not reach the bank for authentication and verification of bank balance. Instead, the communication was spoofed by the attackers and fake responses were generated that made ATMs spit out cash even from the accounts having zero balance.
Analysts believe that HIDDEN COBRA (Lazarus) actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics. HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. These libraries can be exploited by malicious threat actors to help interpret financial request messages and properly construct fraudulent financial response messages.
Analysts believe HIDDEN COBRA actors blocked transaction messages in order to stop denial/decline messages from leaving the switch and used a GenerateResponse* function to approve the transactions.
“In order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious [AIX] executable into a running, legitimate process on the switch application server of a financial transaction network, in this case; a network that handles ATM transactions,” analysts say.
The malicious executable contains logic to construct fraudulent ISO 8583 messages, which is the international standard for financial transaction messaging. The IBM AIX executable files were designed to conduct code injection and inject a library into a currently running process.
It is believed that the North Korean government funds these attacks to combat international sanctions imposed over its weapons’ development and testing programs. Apart from Lazarus, another major wave of attacks was launched by the APT38 which is also said to be associated with the North Korean government.
Here’s a detailed coverage of APT38 cyber espionage.
Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Continuous monitoring of all the activity on the network is essential to pinpoint any cyber espionage targeting an organization.
Lazarus has previously earned an International reputation as one of the largest groups of cybercriminals targeting the financial sector.
The Sony Pictures Entertainment hack in 2014; the breach of central bank of Bangladesh’s New York Federal Reserve account leading to $81 million being stolen; the WannaCry ransomware outbreak in May 2017, as well as other crypto-mining incidents are also associated with this hacker group.
The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.