FASTCash: How the Lazarus Group is Emptying Millions from ATMs
Last month, the US government issued an alert that Lazarus has been conducting “FASTCash” attacks against ATMs from banks in Asia and Africa. Symantec researchers
have since uncovered the key component used by Lazarus to fraudulently empty ATMs of cash.
Known initially for its espionage operations and high-profile attack against Sony Pictures, Symantec’s research shows
increasing financial motivation behind the Lazarus group’s attacks, including the targeting of the Bangladesh Central Bank and the group’s WannaCry ransomware operation. This recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest
for Lazarus, but one of its core activities.
To make fraudulent withdrawals, Lazarus first breaches the banks’ networks and compromises the switch application
servers handling ATM transactions.Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed, which intercepts fraudulent cash withdrawal requests and sends fake approval responses, in turn allowing
the attackers to steal cash from ATMs.