DHS Issues Alert for Trojan Hidden Cobra FastCash

The Department of Homeland Security (DHS) issued an alert yesterday for a backdoor Trojan known as Hidden Cobra FastCash. Consequently, the Trojan is related to the North Korean Hidden Cobra Trojan. This Trojan was detected last March.

APT Actors using FastCash

Advanced Persistent Threat (APT) actors have used FASTCash tactics to target banks in Africa and Asia. Advanced Persitent Threats are defined as APT usually refers to a highly organized and well funded group such as a Government or Quasi-Government Agency. The U.S. Government has not confirmed any FASTCash incidents. No US Institutions have not been affected.

Hidden Cobra FastCash

Fast Cash Flow Chart (source US Cert)

The Trojan remotely compromises  payment switch application servers within banks to facilitate fraudulent transactions. The U.S. Government says, APT actors continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.

Futhermore, the same APT actors have stolen tens of millions of dollars. The APT actors enabled cash to be simultaneously withdrawn from ATMs last year. Similary, the same actors enabled cash to be simultaneously withdrawn from ATMs in 2018.

The APT actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals across national borders. For this reason the APT actors have configured and deployed legitimate scripts on compromised switch application servers. The goal is to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages.

IBM Systems May Be Targeted

Most noteworthy, all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates. There is no evidence the APT actors successfully exploited the AIX operating system.

Addtionally, the APT actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics.

The APT actors most likely deployed ISO 8583 libraries on the targeted switch application servers. As a result, the Malicious threat actors use these libraries to help interpret financial request messages and properly construct fraudulent financial response messages.

0

Comments (1)

Avatar
John Jameson

Great Article

Leave a comment