A notorious group of North Korean hackers has upgraded their FASTCash malware to infect Linux-based systems, enabling unauthorised cash withdrawals from financial institutions. The latest version targets Ubuntu 22.04 LTS, according to cybersecurity expert HaxRob as reported by Bleeping Computer, marking a shift from earlier variants that only affected Windows and IBM AIX (Unix) platforms.


It should also be noted that FASTCash has also evolved to target Windows platforms through phishing emails.


Evolution Of FASTCash Malware


Originally designed to compromise payment systems, FASTCash manipulates transaction processes, particularly targeting card authorisations, allowing hackers to approve fraudulent withdrawals. Previously detected on Windows and IBM AIX systems, this new Linux variant has added another layer of complexity to an already dangerous malware.


A History Of Financial Attacks


The US Cybersecurity and Infrastructure Security Agency (CISA) first warned of the FASTCash ATM scheme in 2018, attributing it to the North Korean hacking group 'Hidden Cobra.' Since 2016, these cybercriminals have been executing coordinated attacks across 30 countries, netting millions in fraudulent withdrawals from ATMs. 


In 2020, the US Cyber Command reported renewed FASTCash activity linked to APT38, also known as Lazarus Group. By 2021, US authorities indicted three North Korean individuals accused of stealing over $1.3 billion from financial institutions globally.


New Linux Variant


The latest discovery, first uploaded to VirusTotal in mid-2023, mimics previous iterations but specifically targets Ubuntu Linux systems.


The malware injects itself into payment switch servers via a shared library, using the 'ptrace' system call to intercept ISO8583 messages — the protocol used for card transactions.


By altering responses that would typically decline a transaction due to insufficient funds, FASTCash fraudulently approves withdrawals.


What Can You Do To Protect Yourself?



  • Beware of Phishing: Always verify email senders and avoid downloading suspicious attachments

  • Monitor Systems Closely: Report any unusual transaction behaviours immediately

  • Keep Software Updated: Ensure all devices are running the latest security patches

  • Secure Financial Systems: Implement strong authentication methods for remote access.


As FASTCash evolves, financial institutions worldwide are urged to ramp up their defences and remain vigilant against these sophisticated cyber threats.