Blog Details

  • Home
  • Blog
  • North Korean Hackers Use Linux Variant of FASTCash Malware to Steal Funds
North Korean Hackers Use Linux Variant of FASTCash Malware to Steal Funds

North Korean Hackers Use Linux Variant of FASTCash Malware to Steal Funds

North Korean cybercriminals have been identified using a Linux version of the infamous FASTCash malware to execute financially motivated cyber-attacks. This malware is particularly dangerous as it targets payment systems, facilitating unauthorized ATM withdrawals.

According to a cybersecurity expert known as HaxRob, the malware is “installed on payment switches within compromised networks that handle card transactions, allowing unauthorized withdrawals from ATMs.” This new variant expands on earlier FASTCash operations that were first reported by the U.S. government in October 2018. Back then, it was revealed that adversaries tied to North Korea had been exploiting ATM cashout schemes in Africa and Asia since at least late 2016.

The agencies previously highlighted that “FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.” One notable event in 2017 saw HIDDEN COBRA hackers enable cash withdrawals from ATMs in over 30 countries at the same time. A similar incident in 2018 involved simultaneous withdrawals across 23 countries.

Historically, FASTCash malware has been observed targeting systems running Microsoft Windows, including a variant found just last month, and IBM AIX. However, the latest discovery reveals a version specifically designed for Linux environments. The first Linux sample appeared on the VirusTotal platform in mid-June 2023, marking a significant shift in the malware's evolution.

This Linux variant of FASTCash appears as a shared object file, “libMyFc.so,” and is compiled for Ubuntu Linux 20.04. It is engineered to intercept and manipulate ISO 8583 transaction messages, which are crucial for debit and credit card processing. By manipulating these messages, the malware approves declined transactions (due to insufficient funds) for a predefined list of account numbers, allowing cash to be withdrawn fraudulently.

The stolen funds typically range from 12,000 to 30,000 Turkish Lira ($350 to $875) per transaction. These fraudulent activities mirror past FASTCash campaigns, including the infamous “switch.dll” Windows artifact that was documented by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.

The discovery of this Linux-based version of FASTCash highlights the critical need for better detection capabilities, particularly in Linux server environments, which are often inadequately protected. As HaxRob stated, “This further emphasizes the need for adequate detection capabilities which are often lacking in Linux server environments.”

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067