{ "id": "291d2e2d-8fb3-4e9f-b150-ddcae725012a", "created_at": "2026-04-06T00:07:54.182761Z", "updated_at": "2026-04-10T03:38:19.616635Z", "deleted_at": null, "sha1_hash": "1fd017e9d3b32e45aab2b6d7e0f61102dc29fb93", "title": "FASTCash for Linux", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 802164, "plain_text": "FASTCash for Linux\r\nBy haxrob\r\nPublished: 2024-10-13 · Archived: 2026-04-05 14:50:19 UTC\r\nIntroduction\r\nThis post analyzes a newly identified variant of FASTCash \"payment switch\" malware which specifically targets\r\nthe Linux operating system. The term 'FASTCash' is used to refer to the DPRK attributed malware that is installed\r\non payment switches within compromised networks that handle card transactions for the means of facilitating the\r\nunauthorized withdrawal of cash from ATMs.\r\nIn this example, 'FASTCash for Linux' has intercepted, added funds and and approved a failed card\r\nbefore reaching the acquirer.\r\nDiscovery of a Linux variant adds to the list of operating systems that this malware has been compiled for, with\r\nprior samples known to target IBM AIX (FASTCash for UNIX) and Microsoft Windows (FASTCash for Windows).\r\nAs per an updated amended to CISA's 2018 advisory for the Windows variant:\r\nSince the publication of the in October 2018, there have been two particularly significant developments\r\nin the campaign: (1) the capability to conduct the FASTCash scheme against banks hosting their switch\r\napplications on Windows servers, and (2) an expansion of the FASTCash campaign to target interbank\r\npayment processors.\r\nThe first submission of 'FASTCash for Windows' to VT was during September 2019, and first was publicly\r\nreferenced by CISA in 2020. During the author's discovery of the Linux variant, additional Windows samples have\r\nbeen identified which were submitted to VT within the month of June 2023, overlapping in time with the Linux\r\nvariant submission. (Notably, the most recent Windows variant with a previously unreported hash was submitted is\r\nin the month of September 2024)\r\n💡\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 1 of 17\n\nBoth the identified Linux and Windows variants work in the currency of Turkish Lira as opposed to Indian Rupee\r\nin the AIX variant.\r\nNewly unattributed Windows samples have some detections (likely) due to the process injection methods used,\r\nalthough the Linux sample that is the primary focus of this post, has no detections as of writing:\r\nIoCs can be found and the end of this post.\r\nBased on analysis of CISA's reported Windows sample against the Linux sample, both are are targeting very\r\nsimilar or the same payment infrastructure (bank or interbank network) within the same country - this assertion is\r\nmade based on the unique properties of the fraudulent transaction responses that both variants share. Further\r\ndetails on this attribution can be found in the technical analysis later in this post.\r\nThe Linux sample that is of primary focus here is has been compiled for Ubuntu Linux 20.04 and developed\r\nsometime after April 21 2022 (based on compiler version), most likely developed in a Virtual Machine using the\r\nVMware hypervisor.\r\nThe Linux variant has slightly reduced functionality compared to its Windows predecessor, although it still retains\r\nkey functionality: intercepting declined (magnetic swipe) transactions messages for a predefined list of card holder\r\naccount numbers and then authorizing the transaction with a random amount of funds in the currency of Turkish\r\nLira.\r\nThe FASTCash for Windows sample ( switch.dll ) reported in CISA/DHS MAR-10257062-1.v2, which cites\r\nattribution to HIDDEN COBRA.\r\nAnalysis done between the AIX and the original Windows variant by Kevin Perlow presented in his Blackhat 2021\r\ntalk and related related paper. As such, this post will specifically focus the newly identified Linux variant and its\r\nrelation to the original Windows variant.\r\nThe next section of this post will attempt to explore in detail the terminology and technology related to card\r\ntransactions processing systems. The intention of this section is to help facilitate the understanding of concepts\r\nfundamental to card transaction platforms.\r\nSkip to Part 2 around midway in this post if you would rather head straight into the analysis of the Linux variant.\r\nPart 1 - Terminology and Technology\r\nParties involved\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 2 of 17\n\nFirst we start with terms used to refer to parties which may participate in a (credit or debit) card transaction:\r\nThe acquirer (or merchant acquirer, or acquiring bank) enables a merchant to accept payment to a\r\ncardholder. For example, this is the bank a retail shop uses to enable their customers to make payments.\r\nThe acquiring bank owns the ATM/PoS terminals and associated switch software and interchange\r\nconnectivity.\r\nIssuer - The bank or financial institution that provides the credit or debit card to a customer. Within the\r\ncontext of the switch system, the issuer is the one that responds to acquirers with an approval or rejection\r\nmessage for a transaction. An issuer can be the acquiring bank.\r\nCard Scheme / Card Network such as Visa, Mastercard etc. In these examples, the card scheme is an\r\nintermediate party between the acquirer and issuer. There are exceptions, for example AMEX could also be\r\nthe issuer. The issuing bank is a member of the card scheme.\r\nTo illustrate better, the following diagram assumes the card holder makes a purchase on a credit card. The shop\r\nterminal reads the card data and sends it to the shop merchant's acquiring bank. Since the card holder belongs to a\r\ndifferent bank, the request is sent to the card network (Visa, Mastercard etc.). The card issuing bank (the bank of\r\nthe shopper) then does balance checks and so forth.\r\nExample flow of an authorization request for a purchase with a credit card\r\nPayment switch\r\nA \"Switch\" is an intermediary routing system for the card transaction messages. They may connect multiple\r\nendpoints (ATM/POS terminals) to bank Hosts or provide a transit between parties such as interbank networks to\r\nperform duties such as routing of transactions, protocol conversion, and reporting/logging. Here \"Host\" may refer\r\nto a financial institution's core banking systems that perform the actual financial transaction against the card\r\nholder's account.\r\nFASTCash malware which tampers with transaction messages could happen within a userspace process on a\r\ncompromised switch where the message digest code either missing or not validated. The following diagram helps\r\nillustrate the role and placement of payment switches or ATM controllers.\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 3 of 17\n\nIn the above diagram we have an assortment of ATMs and PoS terminals speaking a mixture of protocols. The\r\nswitches are also speaking different dialects of ISO8583 for interoperability between payment networks. The core\r\nbanking systems (Centralized Online Real-time Environment) handles the actual transaction processing for the\r\ncard holder (for example, depositing or withdrawal of funds from their account. The cardholders PIN used to\r\nauthorize the transactions will be encrypted in a HSM)\r\nProtocols and Interfaces\r\nCentral to all of this is the ISO8583 message format. The standard, known as \"Financial Transaction Card-Originated Messages — Interchange Message Specifications\", details the format and standard for debit and credit\r\ncard transactions: actions such as checking a balance, withdrawing cash from an ATM or making a purchase from\r\na Point of Sale terminal at a retail store. The fields are called \"data elements\" and are referenced by an integer\r\nnumber. Proprietary platforms or payment networks that process these messages will detail the meaning and\r\nformat of data elements specific to their implementation. These specifications can get quite lengthy, often\r\nspanning many hundreds of pages in length.\r\n💡\r\nThe first version of ISO8583 was released in the 80's - ISO8583:1987 , established upon an older standard by\r\nANSI, X.92 . Before the ANSI standard gained adoption starting within the early 1980s, financial institutions\r\nused their own developed protocols and message structures. A newer (and generic standard, not just limited to card\r\ntransactions) is ISO20022 that is represented in XML or encoded in ASN.1. Again, different payment networks or\r\neven countries may have their own derivates based upon ISO8583 . For example, in Australia this is known as\r\nAS2805 which is used for EFTPOS transactions.\r\nWhile the standard does not define the transport protocol, these days it is common for TCP/IP to be used\r\nbetween Switches. Predating the Internet as we know it, many public and private packet switched networks were\r\nX.25 based and often used in financial networks - and quite possibly still is in some places. Remnants of X.25\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 4 of 17\n\nstill apply to today when referring to card transactions - the ISO8583 standard does not specify how to route the\r\nmessages over the network, and as such, a TPDU (Transaction Protocol Data Unit) was often used. The TPDU\r\nmay include the origin and destination addresses (e.g. terminal and national network) and a message length. Once\r\nupon a time, hardware routers existed that supported these messages over X.25 packet switched networks and\r\nwithin HDLC / SDLC links. In addition to a TPDU , a 16 bit unsigned integer is often prefixed before the PDU\r\nto indicate the message length (including the PDU length of 5 bytes).\r\nVanguard Networks TPDU Protocol, page 4\r\nWe will see later that linux.fastcash (and the Windows variants) expects ISO8583 messages to include both a\r\n2 byte message length and TPDU prefixed before the ISO8583 message.\r\nTerminals\r\nAutomatic Teller Machines\r\nATMs are often connected to a network via dial-up/ASDL or leased lines. While most modern ATMs support\r\nTCP/IP, supposedly, the 1960's IBM BSC / Bisync protocol may still be used in old ATMs, such as BSC3270.\r\nATM vendors often have have their own proprietary protocol such as NDC/NDC+ (NCR Direct Connect), DDC\r\n(Diebold Direct Connect) and Triton. While not published in the public domain, documents related to these\r\nstandards can be found on the Internet. At some point a global standard, CEN/XFS was introduced which relieved\r\nthe \"vendor lock-in\" in regards to mandating a specific ATM vendor's supported controller/switch product.\r\nPoint of Service\r\nThese days we often spot PoS terminals using connectivity over a telecom network or twisted pair over the PSTN.\r\nOlder PoS terminal devices may have required a POS concentrator. Taking an example - a very early proprietary\r\nPoS protocol (like many, based on ISO8583 ) is called HPDH (Hypercom POS Device Handler). Specification\r\ndocuments (again, found by an Internet search) details a HDLC frame which includes a 5 byte TPDU with a fixed\r\nID number 0x60 which corresponds to the message type \"Transactions\":\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 5 of 17\n\nHypercom HDLC frame including TPU and ISO8583 message\r\nThe use of 0x60 in a PoS TPDU appears common across different vendors and and implementations, perhaps\r\ninherited from Hypercom. The Windows and Linux FASTCash variants use very specific values in the TPDU\r\nheader which could possibly provide pointers what kind of systems the infected switch(s) are interfacing with.\r\nMore in this later.\r\nMore on ISO8583\r\nLet's take a look at some of the fields within the standard:\r\nMTI - Four digits that indicate the source and function of the message. linux.fastcash (and the other\r\nrelated variants) support 100/110 (balance enquiry) and 200/210 (financial transaction). Balance checks\r\n( MTI 100 ) are likely used to verify that the malware is working by verifying that the card holder has\r\nfraudulent amount of funds in their account.\r\nMTI table, page 2 from jPOS Common Message Format\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 6 of 17\n\nBitfield - A bitmap that marks which fields are present in the message. The position of the bit represents the\r\ndata element ID number.\r\nData Element - The actual field that contains the information for a transaction. The standard specifies the\r\nmeaning and format of many of these fields, but not all. We will come across custom formats with the\r\nFASTCash malware which is likely specific to the target's network or Switch implementation. When we\r\nrefer to data elements, the convention DE will be prefixed with the element number.\r\nA description of some fields:\r\nDE2 (Primary Account Number) - The PAN, or customer account number\r\nDE3 (Processing Code) - The response code. FASTCash checks this code to determine if \"insufficient\r\nfunds\" is being returned from the issuer for a transaction.\r\nDE4 (Transaction Amount) - Typically the value of the funds, for example, amount being requested to be\r\nwithdrawn. linux.fastcash uses a different field for this.\r\nDE22 (Point of Service Entry Mode) - The mode and PIN availability. Here FASTCash looks for\r\nMagnetic Swipe mode.\r\nDE49 (Transaction Currency Code) - The currency code (as per ISO4217 ) of the funds. linux.fastcash\r\nand it's Windows equivalent specifies TRY and a prior AIX variant can be found to use INR .\r\nDE52 (PIN) - Encrypted PIN which might be omitted if a PIN was not used (e.g. customer signed). In the\r\ncase of linux.fastcash and it's prior Windows variant, the malware explicitly removed this field and the\r\nassociated DE53 (Bin Block) fields.\r\nA valuable reference document is \"jPOS Common Message Format\".\r\nIntegrity and Encryption\r\nFASTCash malware targets systems that ISO8583 messages at a specific intermediate host where security\r\nmechanisms that ensure the integrity of the messages are missing, and hence can be tampered. If the messages\r\nwere integrity protected, a field such as DE64 would likely include a MAC (message authentication code). As the\r\nstandard does not define the algorithm, the MAC algorithm is implementation specific.\r\n💡\r\nOne example of the secret that is used in a MAC algorithm is the encrypted TSK (Terminal Session Key) from a\r\ncommonly used Master/Session key management scheme used in ATM/PoS devices ( MK/SK is being replaced by\r\nDUKPT) and many vendors support both). PCI standards publishes a list of approved PTS (PIN Transaction\r\nSecurity) devices which gives an idea of the symmetric key algorithms and key management schemes employed\r\nhere). In an ATM, a device here is the actual \"PIN keyboard\" which encrypts the PIN very early on - and hence the\r\nATM O/S (often running Microsoft Windows) is never exposed to the customer's (plain-text) PIN number.\r\nFASTCash malware modifies transaction messages in a point in the network where tampering will not cause\r\nupstream or downstream systems to reject the message. A feasible position of interception would be where the\r\nATM/PoS messages are converted from one format to another (For example, the interface between a proprietary\r\nprotocol and some other form of an ISO8583 message) or when some other modification to the message is done\r\nby a process running in the switch.\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 7 of 17\n\nOperating systems and platforms\r\nlinux.fastcash sample was compiled for Ubuntu Linux 22.04 (Focal Fossa) with GCC 11.3.0 . ATM switch\r\nsoftware running on Ubuntu Linux though? Let's dig a bit further into the ecosystem to see if this fits. It goes\r\nwithout saying that performance (fast I/O) and high availability is paramount in core banking infrastructure.\r\nExamples of well known companies that develop switch software for banks include ATOS, ACI (Base 24) and\r\nBCP (SmartVista). This type of software could be found supported to run on \"mainframe\" or equivalent fault\r\ntolerant type platforms manufactured by IBM, HP and others.\r\nA Google search away reveals documentation and commercial presentations for traditional ATM switch software\r\nvendors which mostly advertise support for proprietary UNIX-like systems and Microsoft Windows. For example,\r\nin addition to AIX and Windows, BCP has advertised that it had supported being run on Redhat Linux. More\r\nrecently, companies have emerged on the scene with their switch software running in the cloud (e.g. AWS) and in\r\ncontainers. There are switch software vendors that do advertise generic support for Linux, although their names\r\nwill be omitted here to avoid possible confusion/mistaken attribution.\r\n💡\r\nAt risk of going off track a bit here, let's take a brief look at central switches which are in a different class of their\r\nown - These switches, run by interbank (ATM) networks and card schemes such as Visa and Mastercard, mandate\r\nhigh transaction rates on fault tolerant platforms. In instances this could be custom software written to be run on\r\n'mainframe' type platforms such as the the IBM Z series.\r\nVisa state that a maximum capacity of 65,000 transactions per second: That's actually a very high number in\r\nrespect to financial transactions. At least historically, central switch software likely was developed in-house and\r\nwritten in assembly for the z/TPF. To give an idea of the scale of this transaction processing capability, for\r\nreference, a commercial presentation dated 2010 found on the Internet describes a load test simulation with 17,000\r\nATMs and 27,000 trade terminals resulting to 650 transactions per second loading a (now dated) HP Integrity\r\nSuperdome 2 (Itanium 9350 w/64 cores) running HP-UX at 75% CPU usage.\r\nOn the topic of HP, in the 1970s, a primary competitor to IBM's mainframes was Tandem, a \"dominant\r\nmanufacturer of fault-tolerant computer systems for ATM networks, banks, stock exchanges\". Tandem's NonStop\r\nfault tolerant system exist today in a different form, absorbed (or died off) within HP Enterprise. Here is a\r\nrelatively recent article on Tandem and fault tolerant systems which makes for an informative read.\r\nTo summarize this section, at least traditionally, does not really fit into core bank system infrastructure. With the\r\nincreased adoption of opensource, it's certainly likely that other commercially supported Linux distributions could\r\nbe found elsewhere in payment networks on systems that handle card transaction messages. On the topic of\r\nopensource, jPOS is a well known open source payment switch software - with numerous newsgroup discussions\r\nrevealing developers discussing integration into both ATM and PoS related platforms. Someone has even driver\r\navailable for jPOS which adds support for the proprietary NDC ATM protocol.\r\nAnother theory on the Ubuntu Linux connection is that the malware developer was just using this as a base O/S\r\nfor development purposes and planned on compiling it for a different platform at a later time.\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 8 of 17\n\nPart 2 - FASTCash for Linux Analysis\r\nAttribution\r\nCISA's report \"North Korean Remote Access Tool: FASTCASH for Windows\" references a malware sample that\r\nmanipulates ISO8583 transaction messages in the same manner. Both the Windows and this Linux sample:\r\nGenerate a random amount of Turkish Lira to be fraudulently added to the authorization response\r\nmessages. ISO4217 value of 949 representing Turkish Lira is specified in DE54 (Additional amounts).\r\nDE48 (\"Additional data, private) uses the same custom value of 0387T which is likely specific to it's\r\ntarget payment processing systems. Think of DE48 as a custom field - meaning is dependent on what is\r\nspecified for a specific network. The meaning of 0387T might be very specific to a specific software\r\nvendor, or it could be a localized customization.\r\nBoth samples strip out 14 specific data elements when tampering with the authorization response message.\r\nMany of the elements are marked \"Reserved for private\" as per the ISO8583 standard. It is unknown why\r\nthis was done.\r\nThere are some similarities in the relevant code segments on the Windows ( switch.dll ) and Linux\r\n\" libMyFc.so \" variants in how the response message is constructed. The format string for currency format and\r\nthe additional data elements match. \"Additional Data - Private\" could be considered a \"free text field\" as per the\r\nISO8583 standard, and is assumed to be implementation specific.\r\nThe range for the random funds amount generated per fraudulent transaction is the same ( 12000 to 30000 ):\r\nAlso similar is the hooking into the recv call of a target process, validating the transaction type (MTI 1xx,2xx)\r\nto ensure that the transaction was from a magnetic swipe.\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 9 of 17\n\nBoth samples expect packets with a 2 byte message length, followed by a 5 byte TPDU . Both samples also\r\nadd a constant value of 0x06 in the first byte and 0x00 in the last byte of the of the TPDU . It is unclear why\r\nthis is done without knowledge of the downstream system(s) that will receive the fraudulent response message.\r\ninjected responses have the same header\r\nlinux.fastcash has reduced functionality compared to its Windows and AIX variants. For example hardcoded\r\nIP checks and incorrect PIN handling is not present.\r\nIn respect to the ISO8583 message response message validation, there is a slight difference: The DE3\r\n(processing code) response values that are checked to match a balance enquiry or withdrawal differ in the their\r\ninteger value (although the implementation of how the messages are tampered is the same). This difference may\r\nreflect that the Linux version runs on switch software that interfaces with a slight deviation in the representation\r\nof the processing code data element. That said, the subsequent tampering in both the balance enquiry and\r\nwithdrawal are the same.\r\nImplementation\r\nUnlike other prior samples, the Linux variant is mostly written in object orientated C++ and was not stripped,\r\nmaintaining global variables and class names. The purpose of each member function of the MyFc class is self\r\nevident:\r\nExported class member functions\r\nIt is likely that GCC 11.3.0 was used to compile the source on Ubuntu Linux 22.04:\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 10 of 17\n\nDetect It Easy\r\nOne identified sample was partially packed with UPX version 4.02 . It is unlikely that this was used, as UPX is\r\nnot compatible with ELF shared libraries. Notably, not all sections were successfully packed:\r\nHere the AES IV and key are present in plaintext in the packed sample\r\nInitialization\r\nThe malware is implemented as a shared library, intended to be injected into a existing running process by\r\nutilizing ptrace . Code is likely taken from process_injection_example to invoke ptrace which then relies\r\non subhook to setup the hook into glibc's recv\r\nIf the address of recv cannot be found, an empty file with the name GetSymbolFailed is written to the current\r\nworking directory.\r\nThe /mnt/hgfs path points to the VMsare hypervisor possibly being used during development.\r\n/mnt/hgfs VMware uses hgfs file system for mounting volumes between host and VM\r\nThe initial entry point to SoMain is invoked upon loading the shared library, with the address of the function\r\nbeing an entry in the .init_array section. Likely with the original source having been decorated with the\r\n__attribute__(constructor))) .\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 11 of 17\n\nSoMain attempts to decrypt the configuration file by calling the Initialize constructor of the FcCfg class,\r\nand then if successful resolves and hooks into glibc 's recv function in order to parse incoming packets from\r\nthe hooked processes' network socket(s).\r\nThe configuration file located at /tmp/info.dat contains a list of PANs (Personal Account Numbers) which is\r\nencrypted with AES128 CBC using the opensource library \"Tiny AES in C\". The decryption routine uses the key\r\nW7SLFSG4OPBJNAA8 and initialization vector GXCR7299I9MOWS97 .\r\nPAN file encrypted with 128 bit AES - CBC\r\nInterception of packets\r\nMyFc::recv maintains a \"state\" of incoming ISO8583 messages for a transaction which is initialized when the\r\ntarget process expects to receive exactly two bytes. This is the TPDU header expected to contain a 16 bit unsigned\r\ninteger corresponding to a ISO8535 message size in bytes.\r\nThe hooked recv routine parses the message size from the first 2 bytes, then calls recvall until that length of\r\ndata has been received, copies it into a buffer then unpacks into an ISO8583 message for parsing. Note the 5\r\nbyte offset passing in the received buffer to DL_ISO8583_MSG_Unpack . This corresponds to a 5 byte TPDU .\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 12 of 17\n\napproximate representation of the injected recv() implementation\r\nAs with other variants, the \"Oscar-ISO8583\" C library has been used to parse and repack the ISO8583 messages.\r\nOn receiving a valid ISO8583 message, MTI (Message Type Indicator) Message subclass is checked to see the\r\norigin is from the acquirer with an authorization ( x100 ) or financial ( x200 ) request.\r\nMTI, PAN, Point of Service\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 13 of 17\n\nMTI 100 or 200 matched\r\nThe DE22 (Point of Service entry mode) is checked to be a magnetic swipe read. The initial value in the field is\r\nexpected to be three digits in BCD format. It is converted to an integer with stoi then divided by 100 ,\r\neffectively retaining the first digit that is then compared to the value of 9 - Magnetic Swipe. By discarding the\r\nother digits, the \"PIN capability\" (how the PIN was obtained) is not considered.\r\nEntry mode containing 9.\r\nPAN in the message is then matched against the list in the decrypted configuration file. If there is a match, the the\r\nfollowing fields are verified to be populated:\r\nProcessing code ( DE3 )\r\nTransaction amount ( DE4 )\r\nSystem trace audit number ( DE11 )\r\nCurrency ( DE49 )\r\nThe PAN , transaction amount and currency is then logged to the file /tmp/trans.dat\r\nGenerating fraudulent responses\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 14 of 17\n\nThe real magic happens in the appropriately named MyFC::Hack . A random amount set between 12000 and\r\n30000 (April 2022 TRY/USD exchange rate this would equate to approximately 800USD to 2,000 USD... Due to\r\ninflation Türkiye, at the time of writing, the value to the USD is less then half this. One has to wonder if the threat\r\nactor updated the figures in the malware at any stage to accommodate..) The 3rd byte in the MTI is set to 1\r\nwhich represents a message response.\r\nDE3 (processing code) is checked against two error codes: 51 (Insufficient Funds) or 48 which is \"Reserved\r\nfor ISO use\", here likely representing a balance check.\r\n51 - Insufficient Funds\r\nIn the case of 51 , insufficient funds, DE38 (approval code) is overwritten with whitespace and DE39 (Action\r\ncode) set to \"approve\" by the Approve function.\r\nThe fraudulent balance is specified in a string of format AA VV CCC X NNNN... which is set in DE54 (Additional\r\namounts).\r\nAccording to the standard, the format is:\r\nAA is the account type\r\nVV is the type of amount (here 02 , meaning available account balance)\r\nCCC is the currency code (here 949 , meaning TRY )\r\nX is either positive or negative (with C meaning positive, D represents negative)\r\nNNNN.. is the amount (here the random amount multiplied by 100 ). It is possible that this amount is\r\nspecified in Kuruş.\r\n48 - Reserved for use (assumed balance check)\r\nIf a processing code of 48 is received instead of 58 (Insufficient funds), the DE38 (Approval code) is\r\npopulated with the random fund amount which effectively is multiplied by 1.3 (the multiplication and division)\r\nand then is constrained to 6 digits via the modulo operation. Additionally, as with the prior, a very specific string\r\n0387T is set in DE48 (Additional data, private) as is done in the \"insufficient funds\" routine. At the time of\r\nwriting, the meaning of this string is undetermined.\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 15 of 17\n\nProcessing code \"48\" approximation\r\nThis is likely to occur for MTI response 110 for a balance enquiry.\r\nAfter the relevant processing code has been handled, there are additional modifications to remove 14 specific\r\nfields:\r\nData elements removed when assembling the fraudulent message\r\nA header is assembled which contains the total length (including the header size of 5 bytes), followed by a\r\nhardcoded value of 6 which may correspond to the ID field in a TPDU header. The function\r\nPlatformSocketSend calls the send system call for the fraudulent message to be sent onwards to the acquirer.\r\nDetection and prevention\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 16 of 17\n\nDiscovery of the Linux variant further emphasizes the need for adequate detection capabilities which are often\r\nlacking in Linux server environments. The process injection technique employed to intercept the transaction\r\nmessages should be flagged by any commercial EDR or opensource Linux agent with the appropriate\r\nconfiguration to detect usage of the ptrace system call. As they say, prevention is better then the cure, and the\r\nrecommendation are best summarized by CISA:\r\n- Implement chip and PIN requirements for debit cards.\r\n- Require and verify message authentication codes on issuer financial request response messages.\r\n- Perform authorization response cryptogram validation for chip and PIN transactions.\r\nIndicators of Compromise\r\nSHA-256 hashes\r\nFASTCash for Linux\r\nf34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c\r\n7f3d046b2c5d8c008164408a24cac7e820467ff0dd9764e1d6ac4e70623a1071\r\n(UPX)\r\nFastCash for Windows\r\nafff4d4deb46a01716a4a3eb7f80da58e027075178b9aa438e12ea24eedea4b0\r\nf43d4e7e2ab1054d46e2a93ce37d03aff3a85e0dff2dd7677f4f7fb9abe1abc8\r\n5232d942da0a86ff4a7ff29a9affbb5bd531a5393aa5b81b61fe3044c72c1c00\r\n2611f784e3e7f4cf16240a112c74b5bcd1a04067eff722390f5560ae95d86361\r\nc3904f5e36d7f45d99276c53fed5e4dde849981c2619eaa4dbbac66a38181cbe\r\n609a5b9c98ec40f93567fbc298d4c3b2f9114808dfbe42eb4939f0c5d1d63d44\r\n078f284536420db1022475dc650327a6fd46ec0ac068fe07f2e2f925a924db49 (RAR)\r\nPreviously identified / attributed (2018 to 2020)\r\n129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0 (Windows)\r\n10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba (AIX)\r\n3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c (AIX)\r\nSource: https://doubleagent.net/fastcash-for-linux/\r\nhttps://doubleagent.net/fastcash-for-linux/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://doubleagent.net/fastcash-for-linux/" ], "report_names": [ "fastcash-for-linux" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434074, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1fd017e9d3b32e45aab2b6d7e0f61102dc29fb93.pdf", "text": "https://archive.orkl.eu/1fd017e9d3b32e45aab2b6d7e0f61102dc29fb93.txt", "img": "https://archive.orkl.eu/1fd017e9d3b32e45aab2b6d7e0f61102dc29fb93.jpg" } }