{ "id": "b1d6c390-e08f-41d3-98d4-66e840fb96ab", "created_at": "2026-04-06T01:30:25.904987Z", "updated_at": "2026-04-10T03:38:19.29973Z", "deleted_at": null, "sha1_hash": "a3aefdaaf2491cf1cc46911996b30c532bea1b68", "title": "MAR-10257062-1.v2 - North Korean Remote Access Tool: FASTCASH for Windows | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 79962, "plain_text": "MAR-10257062-1.v2 - North Korean Remote Access Tool: FASTCASH\r\nfor Windows | CISA\r\nPublished: 2020-09-01 · Archived: 2026-04-06 00:42:37 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS),\r\nthe Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners,\r\nDHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This\r\nmalware variant has been identified as FASTCASH for Windows. The U.S. Government refers to malicious cyber activity\r\nby the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit\r\nhttps[:]//www[.]us-cert.gov/hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to\r\nmaintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR\r\nto enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the\r\nCybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the\r\nhighest priority for enhanced mitigation.\r\nThis submission included two unique files. The first file is a malicious application, which can be utilized to inject a dynamic\r\nlink library (DLL) into a remote Windows process. The second file is a malicious Windows DLL. The DLL contains two\r\nfunctions that can hook callbacks to the Windows application programming interfaces (APIs) \"Send\" and \"Recv\" within a\r\ntargeted process. These hook functions are utilized to intercept traffic received by the target process. In received Financial\r\nMessages, the malicious functions will look for targeted Primary Account Numbers (PAN) to deliver a custom response. It\r\nappears the malware will target a system on a bank infrastructure, which is designed to process automated teller machine\r\n(ATM) transactions.\r\nThis updated report included an additional sample that is used by advanced persistent threat (APT) cyber actors in the\r\ntargeting of banking payment systems. The sample is a man-in-the-middle bank transaction modification malware. Once the\r\nmalware is injected into an executable, it takes control of the send and receive functions in order to identify, log, and modify\r\nISO 8583 messages. ISO 8583 is an international standard for financial transaction card originated interchanged messaging.\r\nThis functionality enables the actor to withdraw more money than is actually available. The malware specifically targets ISO\r\n8583 Point of Sale (POS) system messages, ATM transaction requests, and ATM balance inquiries. The sample uses code\r\nfrom open source repositories on the Internet and modifies the parsing code to support Extended Binary Coded Decimal\r\nInterchange Code (EBCDIC) encoding. EBCDIC is a character encoding format like the more commonly ASCII.\r\nFor a downloadable copy of IOCs, see MAR-10257062-1.v2.stix.\r\nSubmitted Files (3)\r\n129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0 (switch.dll)\r\n39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655 (switch.exe)\r\n5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b (A2B1A45A242CEE03FAB0BEDB2E4605...)\r\nFindings\r\n129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nPage 1 of 9\n\nTags\r\nHIDDEN-COBRAtrojan\r\nDetails\r\nName switch.dll\r\nSize 118784 bytes\r\nType PE32 executable (DLL) (console) Intel 80386, for MS Windows\r\nMD5 c4141ee8e9594511f528862519480d36\r\nSHA1 2b22d9c673d031dfd07986906184e1d31908cea1\r\nSHA256 129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0\r\nSHA512 dfc1ad2cb2df2b79ac0f2254b605a2012b94529ac220350a4075e60b06717918175cff5c22e52765237b78ec4edffd6df20f333e28a405a4339a1\r\nssdeep 3072:lUGDXTpE8AKDKDOf+8ZagCfG4aAzFdIARrhxg6/ZpDA:+GDXTpFDKDMZagX4aAB2Cg6hpD\r\nEntropy 6.454745\r\nAntivirus\r\nAntiy Trojan/Win32.Tiggre\r\nAvira TR/Spy.Banker.pubvd\r\nBitDefender Trojan.GenericKD.32541173\r\nClamAV Win.Trojan.Alreay-7189205-0\r\nComodo Malware\r\nESET a variant of Win32/NukeSped.GA trojan\r\nEmsisoft Trojan.GenericKD.32541173 (B)\r\nIkarus Trojan.Spy.Banker\r\nK7 Riskware ( 0040eff71 )\r\nLavasoft Trojan.GenericKD.32541173\r\nMcAfee Trojan-Banking\r\nNANOAV Trojan.Win32.NukeSped.gexoae\r\nSophos Troj/Banker-GYS\r\nSymantec Trojan Horse\r\nTrendMicro Backdoo.62DC2502\r\nTrendMicro House Call Backdoo.62DC2502\r\nVirusBlokAda BScope.TrojanBanker.Agent\r\nZillya! Trojan.NukeSped.Win32.183\r\nYARA Rules\r\nrule CISA_10257062_01 : ATM_Malware\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10257062\"\r\n       Date = \"2019-09-26\"\r\n       Last_Modified = \"20200117_1732\"\r\n       Actor = \"n/a\"\r\n       Category = \"Financial\"\r\n       Family = \"ATM_Malware\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nPage 2 of 9\n\nDescription = \"n/a\"\r\n       MD5_1 = \"c4141ee8e9594511f528862519480d36\"\r\n       SHA256_1 = \"129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0\"\r\n   strings:\r\n       $x3 = \"RECV SOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X, IP= %s, Port= %d\" fullword ascii\r\n       $x4 = \"init_hashmap succ\" fullword ascii\r\n       $x5 = \"89*(w8y92r3y9*yI2H28Y9(*y3@*\" fullword ascii\r\n   condition:\r\n       ($x3) and ($x4) and ($x5)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-06-22 01:59:31-04:00\r\nImport Hash 0ab159bd939411cb8df935bd9e7b5835\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n00f8301c11847b70346d6271098d8f1c header 1024 2.296500\r\nc3bee35076d728ce32b67f5bc66587f3 .text 84992 6.641787\r\n6b094443cad879acc7285f991243ddb0 .rdata 17920 5.170073\r\n11060bd3e49075b78be8670ff46d9a48 .data 7168 4.275765\r\n3637e0cd32608b060e308fdd9742ea97 .reloc 7680 4.792696\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ DLL *sign by CodeRipper\r\nDescription\r\nThis file is a malicious Windows 32-bit DLL. Upon execution, it attempts to read the file \"c:\\\\temp\\info.dat\". Analysis of this\r\nimplant indicates the encrypted file \"info.dat\" will contain targeted PAN numbers, which are expected to be contained within\r\ntransactions possibly originating from ATM systems. Analysis indicates the malware decrypts \"info.dat\" utilizing what\r\nappears to be the AES encryption algorithm. The key utilized for this decryption is displayed below:\r\n--Begin Decryption Key--\r\n89*(w8y92r3y9*yIy(8Y23RHWIEFH238\r\n--End Decryption Key--\r\nThe decrypted contents of \"info.dat\" are then parsed. Sub-components of the file are then further decoded using a hard-coded rotating XOR cipher (Figure 1). The data used as the rotating XOR cipher key is displayed below:\r\n--Begin Rotating XOR Cipher Key--\r\n963007772C610EEEBA51099919C46D078FF46A7035A563E9A395649E3288DB0EA4B8DC791EE9D5E088D9D2972B4CB609BD7CB17E072DB8E\r\n--End Rotating XOR Cipher Key--\r\nThis application will not run without the file \"info.dat\", which was not available at the time of analysis.\r\nUpon execution, the malware creates the directory \"C:\\tmp\\_DMP\". The malware will use this location as a working\r\ndirectory on the targeted system. The malware will store run time logs within this folder. When executed, the malware will\r\ncreate a log file with the following file name format \"c:\\\\tmp\\\\_DMP\\\\TMPL_%d_%d.tmp\" in this folder and stamps it with\r\nthe data \"HK-Start\".\r\nThis binary contains two functions, which provides context to the malware's purpose and capability. Analysis indicates this\r\nDLL is injected into a targeted process. In order to capture and analyze incoming network traffic, the malware hooks the\r\n\"Send\" and \"Recv\" Windows API within a targeted process. One of these functions, located at offset \"0x00004f60\", appears\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nPage 3 of 9\n\nto search for incoming network traffic for \"x200\" Financial Request Messages, such as the type that may be generated from\r\nan ATM banking system. When the malware captures data it uses the \"getpeername\" API to get the IP address of the\r\nconnected host. It then converts this IP address to integer value using the \"ntohs API\". If the integer value of the IP address\r\nmatches either \"16843029\" or \"33620245\" the malware will search it for a \"Financial Request Message\" (Figure 6). If not, it\r\nwill process the incoming data as normal, however it still attempts to log it to a file named\r\n\"c:\\\\tmp\\\\_DMP\\\\TMPL_%d_%d.tmp\" in the format RECV SOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X,\r\nIP= %s, Port=.\r\nUpon receipt of one of these Financial Request Messages, this structure will create a log file that is named with the\r\nfollowing format: \"c:\\\\tmp\\\\_DMP\\\\TMPL_%d_%d.tmp\". The format of the data logged in this log file will be as follows:\r\n--Begin Logged Message Data--\r\nMessage(msg=%d, ct=%d, pc=%d, sd=%d, pan=%s, date=%s)\r\n--End Logged Message Data--\r\nUpon receipt of a Financial Request Message the malware will decode a portion of the data, which was AES decrypted from\r\nthe file “info.dat” to see if portions of it match the incoming Financial Request Message (Figure 3). Although the file\r\n“info.dat” was not available for analysis, it appears the malware is ensuring the PAN numbers of the incoming message\r\nmatch one of the PAN numbers contained within “info.dat”.\r\nStatic analysis indicates the malware utilizes an encrypted file named “blk.dat”. This file is expected to contain a denylist of\r\nATM transactions, which will be denied by the hook function (Figure 2). This file was not available for analysis.\r\nWhen the malware receives a request from an ATM, if it contains a PAN number configured in info.dat (Figure 3) and it is\r\nnot on the denylist in “blk.dat”, the malware will craft a response and send it to the ATM system (Figure 4). It appears the\r\nresponse to the ATM will allow the transaction to proceed and potentially allow the hackers to illegally withdraw money. If\r\nthe transaction is hijacked and approved, the malware records this success in the encrypted log file “suc.dat”.\r\nIf the transaction is rejected, because it is on the denylist in “blk.dat”, this error is logged to the file “err.dat”. If the\r\ntransaction does not contain a configured PAN or a transaction on the denylist, the malware will pass it on as normal to the\r\ntargeted application. When the malware receives an identified Financial Request Message, it will log it to a file with the\r\nname format \"c:\\\\tmp\\\\_DMP\\\\TMPL_%d_%d.tmp\". The message itself will be logged into this file with the format\r\n“Message(msg=%d, ct=%d, pc=%d, sd=%d, pan=%s, date=%s)”.\r\nThe actual response back to the ATM system will be logged into a file with the filename format\r\n\"c:\\\\tmp\\\\_DMP\\\\TMPL_%d_%d.tmp\". The format of the data written to this file will be send socket=0x%X, ret=%d,\r\nerr=%d.\r\nAnalysis indicates the Send API is hooked with a function that uses the \"getpeername\" IP address of the connected host. The\r\nIP address of the host is converted using “ntohs” and if it matches one of the values “16843029” or “33620245” the sent\r\ntraffic will be logged in a file named \"c:\\\\tmp\\\\_DMP\\\\TMPL_%d_%d.tmp\". The format of the sent data logged is SEND\r\nSOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X, IP= %s, Port= (Figure 7). Static analysis indicates successful\r\nhooks made to the “Send” and “Recv” APIs within the target process will be logged in a file named\r\n“c:\\\\tmp\\\\_DMP\\\\TMPL_%d_%d.tmp” with the format “g_hook_flag = %d”.\r\nScreenshots\r\nFigure 1 - Cipher used when decoding data in \"info.dat\".\r\nFigure 2 - API \"Recv\" hook checking for incoming Financial Request Message for a targeted PAN.\r\nFigure 3 - The malware searching for targeted PANs.\r\nFigure 4 - Malware crafting and sending responses to the ATM.\r\nFigure 5 - Hook function either searching network traffic for Financial Message or logging it and sending to the \"RECV\"\r\nAPI.\r\nFigure 6 - \"RECV\" Hook API function checking if the connected host is one of the two IP addresses.\r\nFigure 7 - Logging outbound traffic to the two specific IP addresses.\r\n39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655\r\nTags\r\nHIDDEN-COBRAtrojan\r\nDetails\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nPage 4 of 9\n\nName switch.exe\r\nSize 67448 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 89081f2e14e9266de8c042629b764926\r\nSHA1 730c1b9e950932736fc4b02cbdb4e4e891485ac2\r\nSHA256 39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655\r\nSHA512 bbb5aa4d8e7a011daff71774ee9c74fa4d14627de1c25e0437c879bd1cd137223d5c2fb20fd101a511a95e59d91ea884b0947229ee67e40a4a243\r\nssdeep 768:aQ1PWoWzXyjJsTKJUniYs1pdLn4nDT622YuYDIhscWTJqLPNofEDy9nAXmIEHbKa:aQ5WDziX+nD0LWT6FYZDgs5ULPIJEYp\r\nEntropy 6.396614\r\nAntivirus\r\nAhnlab HackTool/Win32.Injector\r\nAntiy Trojan[Banker]/Win32.Alreay\r\nClamAV Win.Trojan.Alreay-7189192-0\r\nComodo Malware\r\nESET a variant of Generik.CWSORYC trojan\r\nEmsisoft Gen:Variant.Ursu.634943 (B)\r\nIkarus Trojan.Inject\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee Trojan-Banking\r\nMicrosoft Security Essentials Trojan:Win32/LazInjector.DD!MSR\r\nNANOAV Trojan.Win32.Alreay.geqrko\r\nSophos Troj/Banker-GYS\r\nSymantec Trojan Horse\r\nTrendMicro TROJ_NO.4FADD924\r\nTrendMicro House Call TROJ_NO.4FADD924\r\nVirusBlokAda TrojanBanker.Alreay\r\nZillya! Trojan.Alreay.Win32.96\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-06-13 02:17:06-04:00\r\nImport Hash c9febdea3218b92a46f739082f26471e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ncde81f1500263860f325ee8f80c483ce header 1024 2.497464\r\na8c0a36524287fef367821e833a68350 .text 38912 6.518662\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nPage 5 of 9\n\nMD5 Name Raw Size Entropy\r\ne1c66ff8e5f0e1909e2691360c974420 .rdata 10752 4.878020\r\n22783e6c2539d6828f3d42b030ca08e9 .data 4096 2.117927\r\n81195ca9b22c050f79e44175e9e7150e .rsrc 512 5.105006\r\n36571bcb45b1ae18dfcf7edc8c5c3d4a .reloc 3584 4.791228\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ ?.?\r\nDescription\r\nThis file is a malicious 32-bit Windows executable. It is a command-line utility. Static analysis indicates its primary purpose\r\nis to allow a user to inject a DLL into a remote process.\r\n5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b\r\nTags\r\nHIDDEN-COBRAtrojan\r\nDetails\r\nName A2B1A45A242CEE03FAB0BEDB2E460587\r\nSize 130560 bytes\r\nType PE32 executable (DLL) (console) Intel 80386, for MS Windows\r\nMD5 a2b1a45a242cee03fab0bedb2e460587\r\nSHA1 e9c9ef312370d995d303e8fc60de4e4765436f58\r\nSHA256 5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b\r\nSHA512 4ced785089832287d634c77c2b5fb16efb2147b75da9014320c98d1bc0933504bfba77273576c35b97548d25acb88a0f2944cbef6a78509f945a\r\nssdeep 3072:j5KO2SQhF+VJbGHMjjNNyCkeZjDYJklGCx:oO2SQT+nGHADyAZjJwC\r\nEntropy 6.431962\r\nAntivirus\r\nVirusBlokAda BScope.TrojanBanker.Agent\r\nYARA Rules\r\nrule CISA_3P_10257062 : HiddenCobra FASTCASH trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10257062\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Trojan\"\r\n       Family = \"FASTCASH\"\r\n       Description = \"Detects HiddenCobra FASTCASH samples\"\r\n       MD5_1 = \"a2b1a45a242cee03fab0bedb2e460587\"\r\n       SHA256_1 = \"5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b\"\r\n   strings:\r\n       $sn_config_key1 = \"Slsklqc^mNgq`lyznqr[q^123\"\r\n       $sn_config_key2 = \"zRuaDglxjec^tDttSlsklqc^m\"\r\n       $sn_logfile1 = \"C:\\\\intel\\\\_DMP_V\\\\spvmdl.dat\"\r\n       $sn_logfile2 = \"C:\\\\intel\\\\_DMP_V\\\\spvmlog_%X.dat\"\r\n       $sn_logfile3 = \"C:\\\\intel\\\\_DMP_V\\\\TMPL_%X.dat\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nPage 6 of 9\n\n$sn_logfile4 = \"C:\\\\intel\\\\mvblk.dat\"\r\n       $sn_logfile5 = \"C:\\\\intel\\\\_DMP_V\\\\spvmsuc.dat\"\r\n   condition:\r\n       all of ($sn*)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-07-03 08:11:16-04:00\r\nImport Hash 76e8a4f811b021cf503340a0077515cc\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ncbe7e7fdab96c22785fa8d7c03ca6b2b header 1024 2.429436\r\n03d36f4d9ae3e002027c981c399ab8c6 .text 89600 6.630313\r\nd1f983704c508544b315d577fe3563e1 .rdata 23040 5.215776\r\na4b79dca294053725e2b2091453d9d85 .data 8192 4.358771\r\nd762ef71411860ae50212e14c0a5ba72 .rsrc 512 5.115767\r\n2e4eb6056385f6f721d970cafe65bebe .reloc 8192 4.774185\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ DLL *sign by CodeRipper\r\nDescription\r\nThe file uses a configuration file, a deny-list, and a series of log files:\r\n--Begin files--\r\nC:\\intel\\myconf.ini: Configuration file that contains account numbers (encrypted) C:\\intel\\myblk.dat: Deny-listed account\r\nnumbers (encrypted) C:\\intel\\_DMP_V\\spvmlog_\u003cPID\u003e.dat: Logs general messages and errors.\r\nEntry Format: [\u003cYYYY-MM-DD HH:MM:SS.sss\u003e][PID:\u003cPID\u003e][TID:\u003cTID\u003e] \u003cMessage\u003e\"]\r\nC:\\intel\\_DMP_V\\spvmdl.dat: Logs API hooking/unhooking success and failure.\r\nEntry Format:\r\nHook Success Entry: 'Windows'\r\nHook Error Entry: 'Linux'\r\nUnHook Success Entry: 'Acer'\r\nUnHook Error Entry: 'Lenovo'\r\nC:\\intel\\_DMP_V\\TMPL\u003cPID\u003e.dat: Logs Send/Receive Message metadata\r\nEntry Format:\r\nRecv Entry: 'recv - SOCK=\u003csocket_id\u003e, Addr=\u003cIP\u003e, Port=\u003cPort\u003e, pBuf=\u003cdata\u003e, size=\u003cdatasize\u003e' Send Entry: 'send -\r\nSOCK=\u003csocket_id\u003e, Addr=\u003cIP\u003e, Port=\u003cPort\u003e, size=\u003cdatasize\u003e' C:\\intel\\_DMP_V\\TMPR\u003cPID\u003e.tmp: Logs Received\r\nMessages\r\nC:\\intel\\_DMP_V\\TMPS\u003cPID\u003e.tmp: Logs Sent Messages\r\nC:\\intel\\_DMP_V\\TMPHSMS\u003cPID\u003e.tmp: Logs LocalHost ARQC sent messages C:\\intel\\_DMP_V\\TMPHSMR\u003cPID\u003e.tmp:\r\nLogs LocalHost ARQC received messages\r\nC:\\intel\\_DMP_V\\spvmscap.dat: Logs modified sent messages\r\nC:\\intel\\_DMP_V\\spvmsuc.dat: Logs modified sent messages metadata (encrypted)\r\n--End files--\r\nUpon attaching to a process, the sample will decrypt the encrypted config from the configuration file and read it into\r\nmemory. Next, it will hook the processes send and recv winAPIs. When the “send\" function is called, it will check to see if\r\nthe port is 7029, if so, it will log the data and metadata in the above log files, if not it will just pass through calling send as\r\nthe program normally would. When the \"receive\" function is called, it will check to see if the port is 7029, if so, it will wait\r\nfor packets received from port 7029 and parse the following ISO8583 fields out of the incoming datagram:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nPage 7 of 9\n\n--Begin fields--\r\nMESSAGE_TYPE_INDICATOR (MTI)\r\nPRIMARY_ACCOUNT_NUMBER (PAN)\r\nPROCESSING_CODE\r\nRESERVED_NATIONAL_3\r\n--End fields--\r\nNext, it checks the loaded configuration for the PAN. If it exists, it will continue processing, otherwise it will pass. Then it\r\nwill check the denylist file for the PAN. If denylist contains 'all' or the PAN, will set the RESPONSE_CODE to 51\r\n(Insufficient funds) in the response message. It looks for the following message types:\r\n--Begin message types--\r\nPOS system message\r\nATM transaction request\r\nATM balance inquiry\r\n--End message types--\r\nNext it, constructs what appears to be an Authorization Request Cryptogram (ARQC) message:\r\n--Begin format--\r\nUses the PRIMARY_ACCOUNT_NUMBER and ICC_DATA\r\nContains the hardcoded string: \"U8BFE0AE12F9000C1480B297BE43CAC97\"\r\nSends to localhost on port 9990\r\nParses the response Authorization Response Cryptogram (ARPC) message\r\n--End format--\r\nFinally, it constructs and sends a ISO8583 response message.\r\nWhen detaching from the process, the sample unhooks the “send” and “recv” WINAPI functions, returning them to their\r\nnormal state. It will then overwrite the first 0x400 bytes of the in-memory DLL from the process, effectively cleaning up any\r\ntrace of the sample.\r\nThe sample frequently uses code that is taken from GitHub with a few modifications in some cases. The sample uses code\r\nthat is taken from github.com/petewarden/c_hashmap to load the configuration file into memory in a hashmap, API hooking\r\nusing Microsoft’s Detour library at github.com/Microsoft/Detours and the ISO8583 parsing code is taken from\r\ngithub.com/sabit/Oscar-ISO8583 (slightly modified to facilitate parsing of IBM037 formatted data).\r\nThe encryption that is used for all log/config files is likely an AES variant with the following keys:\r\n--Begin keys--\r\nzRuaDglxjec^tDtt\r\nSlsklqc^mNgq`lyz\r\n--End keys--\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nPage 8 of 9\n\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nRevisions\r\nAugust 26, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c" ], "report_names": [ "ar20-239c" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439025, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a3aefdaaf2491cf1cc46911996b30c532bea1b68.pdf", "text": "https://archive.orkl.eu/a3aefdaaf2491cf1cc46911996b30c532bea1b68.txt", "img": "https://archive.orkl.eu/a3aefdaaf2491cf1cc46911996b30c532bea1b68.jpg" } }