# FASTCash Malware Expands to Linux: A New Hazard for Financial Systems
In the constantly changing realm of cyber threats, North Korean state-sponsored attackers have showcased their flexibility and determination once more. What started as an onslaught against Unix-based systems has now broadened to encompass Windows and, most recently, Linux. This malware, referred to as **FASTCash**, is an intricately developed tool that focuses on the financial infrastructure responsible for managing payment card transactions. Initially identified in systems running IBM’s proprietary Unix version, AIX, FASTCash has now adapted to target Linux, triggering alarm bells among the cybersecurity sector.
## The Progression of FASTCash
### From Unix to Windows, and Now Linux
FASTCash was first brought to attention in 2018 when the **US Cybersecurity and Infrastructure Security Agency (CISA)** issued a notice regarding its presence in **AIX-driven payment switches**. These switches are vital elements in the financial ecosystem, tasked with processing payment card transactions among merchants, banks, and card issuers. By infiltrating these switches, the hackers could manipulate transaction messages, leading to the approval of fraudulent transactions.
In 2020, CISA revised its advisory, disclosing that FASTCash had broadened its reach to include **Windows-based payment switches**. This expansion not only augmented the malware’s potential targets but also extended its scope to encompass **regional interbank payment processors**, enhancing its threat level to the global financial framework.
Jump to 2023, and experts have now identified that FASTCash has transformed yet again—this time to focus on **Linux-based systems**. A recent report by an investigator operating under the pseudonym **haxrob** unveiled two instances of FASTCash crafted for **Ubuntu Linux 20.04**. One of these variations was presumably developed post-April 2022, and as of June 2023, only a few antivirus solutions were capable of detecting it.
### How FASTCash Operates
The primary purpose of FASTCash is to compromise a **payment switch**—a crucial node in the network that governs payment transactions. These switches function as intermediaries between the **merchant’s bank (acquiring domain)** and the **card issuer (issuing domain)**. Once the malware infiltrates a switch, it intercepts and alters transaction messages as they occur.
When a fraudulent transaction is initiated using a compromised card, the switch forwards a message to the card issuer for approval. If the issuer rejects the transaction, FASTCash intervenes and modifies the message, converting the rejection into an approval before relaying it back to the merchant’s bank. This alteration permits the fraudulent transaction to proceed unnoticed.
### The Importance of ISO 8583
FASTCash takes advantage of flaws in the **ISO 8583** messaging standard, which is widely adopted for financial transactions. Specifically, the malware focuses on **improperly configured implementations** of ISO 8583, where security measures like **message authentication codes (MACs)** are either absent or inadequately configured. These misconfigurations enable the malware to modify messages without raising any alerts.
In a suitably configured system, the MAC in **field 64** of an ISO 8583 message would safeguard the integrity of the transaction data. However, in the systems targeted by FASTCash, these protective measures are either absent or ineffective, permitting the malware to alter transaction messages undetected.
### An Escalating Threat
The identification of a Linux variant of FASTCash is especially alarming because **Linux servers** are frequently utilized in crucial infrastructure environments, including financial organizations. Numerous entities lack sufficient detection capabilities for Linux-based threats, rendering these systems appealing targets for cybercriminals.
As **haxrob** remarked in their analysis, “Discovery of the Linux variant further accentuates the need for adequate detection capabilities which are often absent in Linux server environments.” This highlights the necessity of enhancing security measures across all platforms, not solely Windows or Unix-based systems.
## The Bigger Picture: North Korea’s Cybercrime Operations
The faction behind FASTCash, known as **BeagleBoyz**, is a subgroup of the broader **HiddenCobra** organization, which is supported by the North Korean regime. Since 2015, BeagleBoyz has been accountable for a series of significant cyberattacks aimed at snatching nearly **$2 billion** from financial institutions globally.
In addition to stealing funds, BeagleBoyz has also been known to **manipulate and disable crucial computer systems** at banks and other financial organizations. These assaults form part of a larger scheme by North Korea to finance its regime through cybercrime, as international sanctions have severely constrained the country’s access to conventional financial resources.
## Mitigating the Threat
Given the sophistication of FASTCash and its capacity to target multiple platforms, financial institutions need to take proactive measures to safeguard their systems. Here are some essential recommendations:
1. **Fortify ISO 8583 Implementations**: Ensure that all systems managing ISO 8583 messages are correctly configured, with solid message authentication mechanisms in place.
