Lazarus Group Targets Bank Networks to Rob ATMs
In addition to its 2014 attack on Sony Pictures, the Lazarus Group, also known as Hidden Cobra, has been attacking the ATMs of Asian and African banks since 2016, and today Symantec revealed that the group has been successful in its “FASTCash” operations by first targeting the banks' networks.
“The operation known as 'FASTCash' has enabled Lazarus, to fraudulently empty ATMs of cash. To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions,” Symantec wrote in today’s blog post.
“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.” By injecting a malicious Advanced Interactive eXecutive (AIX) executable into a legitimate process on the switch application of the network that handles ATM transactions, the attacker is able to monitor incoming messages and intercept fraudulent, attacker-generated transaction requests, preventing them from reaching the switch application.