{ "id": "0389bb35-57b5-4412-86cc-a95f45531644", "created_at": "2026-04-06T00:18:40.694266Z", "updated_at": "2026-04-10T03:38:20.375126Z", "deleted_at": null, "sha1_hash": "90ba6c70149017922b34205b121af9ef6ce8489a", "title": "FASTCash: How the Lazarus Group is Emptying Millions from ATMs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48046, "plain_text": "FASTCash: How the Lazarus Group is Emptying Millions from\r\nATMs\r\nBy About the Author\r\nArchived: 2026-04-05 17:03:09 UTC\r\nOn October 2, 2018, an alert was issued by US-CERT, the Department of Homeland Security, the Department of\r\nthe Treasury, and the FBI. According to this new alert, Hidden Cobra (the U.S. government’s code name for\r\nLazarus) has been conducting “FASTCash” attacks, stealing money from Automated Teller Machines (ATMs)\r\nfrom banks in Asia and Africa since at least 2016.\r\nLazarus is a very active attack group involved in both cyber crime and espionage. The group was initially known\r\nfor its espionage operations and a number of high-profile disruptive attacks, including the 2014 attack on Sony\r\nPictures. More recently, Lazarus has also become involved in financially motivated attacks, including an US$81\r\nmillion theft from the Bangladesh Central Bank and the WannaCry ransomware.\r\nFollowing US-CERT's report, Symantec’s research uncovered the key component used in the group's recent wave\r\nof financial attacks. The operation, known as “FASTCash”, has enabled Lazarus to fraudulently empty ATMs of\r\ncash. To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the\r\nswitch application servers handling ATM transactions.\r\nOnce these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware\r\nin turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the\r\nattackers to steal cash from ATMs.\r\nAccording to the U.S. government alert, one incident in 2017 saw cash withdrawn simultaneously from ATMs in\r\nover 30 different countries. In another major incident in 2018, cash was taken from ATMs in 23 separate countries.\r\nTo date, the Lazarus FASTCash operation is estimated to have stolen tens of millions of dollars.\r\nHow FASTCash attacks work - Details\r\nIn order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious Advanced Interactive\r\neXecutive (AIX) executable into a running, legitimate process on the switch application server of a financial\r\ntransaction network, in this case a network handling ATM transactions. The malicious executable contains logic to\r\nconstruct fraudulent ISO 8583 messages. ISO 8583 is the standard for financial transaction messaging. The\r\npurpose of this executable has not been previously documented. It was previously believed that the attackers used\r\nscripts to manipulate legitimate software on the server into enabling the fraudulent activity.\r\nHowever, analysis by Symantec has found that this executable is in fact malware, which we have named\r\nTrojan.Fastcash. Trojan.Fastcash has two primary functions:\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware\r\nPage 1 of 4\n\n1. It monitors incoming messages and intercepts attacker-generated fraudulent transaction requests to prevent\r\nthem from reaching the switch application that processes transactions.\r\n2. It contains logic that generates one of three fraudulent responses to fraudulent transaction requests.\r\nOnce installed on the server, Trojan.Fastcash will read all incoming network traffic, scanning for incoming ISO\r\n8583 request messages. It will read the Primary Account Number (PAN) on all messages and, if it finds any\r\ncontaining a PAN number used by the attackers, the malware will attempt to modify these messages. How the\r\nmessages are modified depends on each victim organization. It will then transmit a fake response message\r\napproving fraudulent withdrawal requests. The result is that attempts to withdraw money via an ATM by the\r\nLazarus attackers will be approved.\r\nHere is one example of the response logic that Trojan.Fastcash uses to generate fake responses. This particular\r\nsample has logic to construct one of three fake responses based on the incoming attacker request:\r\nFor Message Type Indicator == 200 (ATM Transaction) and Point of Service Entry Mode starts with 90 (Magnetic\r\nStrip only):   \r\n    If Processing Code starts with 3 (Balance Inquiry):\r\n                Response Code = 00 (Approved)   \r\n    Otherwise, if the Primary Account Number is Blacklisted by Attackers:       \r\n                Response Code = 55  (Invalid PIN)   \r\n    All other Processing Codes (with non-blacklisted PANs):\r\n                 Response Code = 00 (Approved)\r\nIn this case, the attackers appear to have built in a capability to selectively deny transactions based on their own\r\nblacklist of account numbers. However, the capability was not implemented in this sample, and the check for\r\nblacklisting always returns “False”.\r\nSymantec has found several different variants of Trojan.Fastcash, each of which uses different response logic. We\r\nbelieve that each variant is tailored for a particular transaction processing network and thus has its own tailored\r\nresponse logic.\r\nThe PAN numbers used to carry out the FASTCash attacks relate to real accounts. According to the US-CERT\r\nreport, most accounts used to initiate the transactions had minimal account activity or zero balances. How the\r\nattackers gain control of these accounts remains unclear. It is possible the attackers are opening the accounts\r\nthemselves and making withdrawal requests with cards issued to those accounts. Another possibility is the\r\nattackers are using stolen cards to perform the attacks.\r\nIn all reported FASTCash attacks to date, the attackers have compromised banking application servers running\r\nunsupported versions of the AIX operating system, beyond the end of their service pack support dates.\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware\r\nPage 2 of 4\n\nLazarus is a very active group involved in both cyber crime and espionage. Lazarus was initially known for its\r\ninvolvement in espionage operations and a number of high-profile disruptive attacks, including the 2014 attack on\r\nSony Pictures that saw large amounts of information being stolen and computers wiped by malware.\r\nIn recent years, Lazarus has also become involved in financially motivated attacks. The group was linked to the\r\n$81 million theft from the Bangladesh central bank in 2016, along with a number of other bank heists.\r\nLazarus was also linked to the WannaCry ransomware outbreak in May 2017. WannaCry incorporated the leaked\r\n“EternalBlue” exploit that used two known vulnerabilities in Windows (CVE-2017-0144 and CVE-2017-0145) to\r\nturn the ransomware into a worm, capable of spreading itself to any unpatched computers on the victim’s network\r\nand also to other vulnerable computers connected to the internet. Within hours of its release, WannaCry had\r\ninfected hundreds of thousands of computers worldwide.\r\nOngoing threat to the financial sector\r\nThe recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing\r\ninterest for the Lazarus group and can now be considered one of its core activities.\r\nAs with the 2016 series of virtual bank heists, including the Bangladesh Bank heist, FASTCash illustrates that\r\nLazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the\r\nexpertise to leverage that knowledge in order to steal large sums from vulnerable banks.\r\nIn short, Lazarus continues to pose a serious threat to the financial sector and organizations should take all\r\nnecessary steps to ensure that their payment systems are fully up to date and secured.\r\nProtection\r\nSymantec has the following detections in place to protect customers against Lazarus FASTCash attacks:\r\nTrojan.Fastcash\r\nMitigation\r\nOrganizations should ensure that operating systems and all other software are up to date. Software updates will\r\nfrequently include patches for newly discovered security vulnerabilities that could be exploited by attackers. In all\r\nreported FASTCash attacks to date, the attackers have compromised banking application servers running\r\nunsupported versions of the AIX operating system, beyond the end of their service pack support dates.\r\nIndicators of Compromise\r\nD465637518024262C063F4A82D799A4E40FF3381014972F24EA18BC23C3B27EE (Trojan.Fastcash Injector)\r\nCA9AB48D293CC84092E8DB8F0CA99CB155B30C61D32A1DA7CD3687DE454FE86C (Trojan.Fastcash\r\nDLL)\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware\r\nPage 3 of 4\n\n10AC312C8DD02E417DD24D53C99525C29D74DCBC84730351AD7A4E0A4B1A0EBA (Trojan.Fastcash\r\nDLL)\r\n3A5BA44F140821849DE2D82D5A137C3BB5A736130DDDB86B296D94E6B421594C (Trojan.Fastcash DLL)\r\nSource: https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware" ], "report_names": [ "fastcash-lazarus-atm-malware" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434720, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90ba6c70149017922b34205b121af9ef6ce8489a.pdf", "text": "https://archive.orkl.eu/90ba6c70149017922b34205b121af9ef6ce8489a.txt", "img": "https://archive.orkl.eu/90ba6c70149017922b34205b121af9ef6ce8489a.jpg" } }