Key Takeaways
What is FASTCash?
FASTCash is a “payment switch” malware typically used by North Korea nexus threat actors. While FASTCash has been in the wild since at least 2016, it previously only targeted Windows and AIX systems. A newer Linux variant was recently discovered. Security researcher HaxRob reported on this variant.
FASTCash malware is installed on payment switches operating on compromised networks used to handle payment card transactions. The malware allows threat actors to conduct unauthorized cash withdrawals from ATMs. According to HaxRob, the FASTCash Linux variant, which is written in C++, was likely developed sometime after April 2022 in a virtual machine. It is less robust than the Windows variant but still includes key functions such as intercepting declined card swipe transaction messages and authorizing the transaction for a random amount. In the sample analyzed, the currency used for the transaction was the Turkish Lira.
HaxRob noted that in addition to the Linux variant, a new FASTCash Windows variant was also recently discovered. The original FASTCash for Windows was previously attributed to North Korea nexus threat actor group Hidden Cobra, also known as Labyrinth Chollima. In 2020, a CISA advisory linked FASTCash 2.0 activity to APT38 (Stardust Chollima). Both of these North Korea nexus threat actor groups are linked to the umbrella group known as Lazarus Group and tend to exhibit TTP overlap. We have provided information on both subgroups below.
Who is Labyrinth Chollima?
Labyrinth Chollima, also known as Gleaming Pisces, AppleJeus, Nickel Academy, Hidden Cobra, Citrine Sleet, and UNC4736, is a state-sponsored threat actor group likely affiliated with Bureau 121 of North Korea’s Reconnaissance General Bureau. It is thought to be a sub-cluster of Lazarus Group and has been active since at least 2018. The group’s members are reportedly trained in Shenyang, China in malware and espionage operations.
Labyrinth Chollima is known for espionage activity, disruptive activity, and financially motivated attacks. Other TTPs associated with Labyrinth Chollima include LightlessCan, KandyKorn, SugarLoader, and Hloader. In the past, the group has been observed engaging in supply chain attacks and attacks on cryptocurrency platforms.
Who is Stardust Chollima?
Stardust Chollima, also known as BlueNoroff, TA444, APT38, BlackAlicanto, Coperenicum, and Sapphire Sleet, is a North Korean threat actor group that is likely an offshoot of Lazarus Group. They are thought to be affiliated with Bureau 121 of the DPRK’s Reconnaissance General Bureau.
The group is known for financially motivated activity, including targeting banks, casinos, cryptocurrency exchanges, ATMs, and SWIFT endpoints. Stardust Chollima has also been observed targeting MacOS systems. Their MacOS malware includes RustBucket, KandyKorn, ObjCShellz, and SpectralBlur.
IOCs
PolySwarm has multiple samples of FASTCash.
F34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c
7f3d046b2c5d8c008164408a24cac7e820467ff0dd9764e1d6ac4e70623a1071
Afff4d4deb46a01716a4a3eb7f80da58e027075178b9aa438e12ea24eedea4b0
078f284536420db1022475dc650327a6fd46ec0ac068fe07f2e2f925a924db49
5232d942da0a86ff4a7ff29a9affbb5bd531a5393aa5b81b61fe3044c72c1c00
10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba
3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c
129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0
39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655
You can use the following CLI command to search for all FASTCash samples in our portal:
$ polyswarm link list -f FASTCash
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.