New malware is in circulation and targeting ATMs, where it is wreaking havoc by allowing hackers to easily steal money. It is a Linux variant of an old acquaintance in terms of viruses that have circulated on the Internet on previous occasions.
The name FASTCash has terrified many security specialists in recent times. Now this malware is back with a new version of Linux. And its objective is what you can already imagine given the name it has: to allow hackers to take money from bank ATMs without anyone being able to stop them. The threat appears to have originated in North Korea and affects Ubuntu 22.04 LTS distributions.
Stealing from ATMs since 2016
The panic that FASTCash generates among professionals is not disproportionate. The truth is that this malware has been causing problems since it was first detected in 2018, although records indicate that its activity began to leave its mark in 2016. And, from the beginning, specialists have been clear that North Korean hackers were after him, more precisely, the group Hidden Cobra. Initially, the threat was distributed on Windows systems and IBM AIX, but it has now evolved to do its thing on Linux as well.
According to previous investigations, those responsible for the use of FASTCash had already stolen more than 1.3 billion dollars with attacks on ATMs in more than 30 countries. It is believed that the figures could be higher, which would place this malware as one of the worst that financial institutions have ever encountered.
How does this malware work?
First of all, it must be said that, although there is evidence of the circulation of this virus, for now it seems that it has not been blocked. In addition, security specialists mention that they believe that this incarnation of FASTCash can bypass security systems to infect ATMs and continue withdrawing money without limits. To begin, what the virus needs is to introduce a malicious file into the exchange server that is used in payment procedures carried out by cashiers. It sneaks in at the point where the ATM system makes a connection between the bank’s core and the ATM. That is, it is placed in the middle so as not to be intercepted and to be able to manage requests for money withdrawals that seem real. The malware is prepared to intercept these types of messages that ATMs make when managing operations using credit and debit cards.
More precisely, what it does is intercept the transaction cancellation message in which the bank rejects the request to withdraw money because there are no funds. Instead of allowing the bank to continue with its transaction cancellation command, the malware approves it as if there were funds in the account. This allows the bank to receive a message with an authorization code and think that the operation is being carried out correctly. From what the specialists mention, the amounts that are being stolen on each occasion are between 350 and 875 dollars.
The only setback that hackers must count on is that they need a mule to take care of withdrawing the money in person at the ATM and then redistribute it to the hackers. In any case, it is most likely that they have everything organized so that they have several people to take care of these tasks. Perhaps, yes, that would be a way in which the authorities could pull the string to try to make some arrests.
From what is said, although this version of Linux is the one that is now being used, there is a new edition for Windows that would also be preparing to come into action. That would complicate things even more for banking entities, since cybercriminals have most likely perfected the malware since its last version for the Microsoft system.
