Lazarus Rises to Make ATMs Pour Forth Cash

Lazarus is not dead. I mean the Lazarus hacking group, of course. In fact, last year, it was designated as one of the most dangerous hacking groups on Earth. Now, with the incarnation of FASTCash malware, Lazarus just might have ascended to the supreme position of world’s most dangerous hacking group.

Let me give a simple explanation of just what FASTCash can do. Imagine going to an ATM machine with nothing in your bank account. Now, on the surface, this might seem problematic, after all, you have nothing in your bank account. Enter FASTCash. No money, no problem. Simply punch in any amount you want and the ATM will give it to you.

How is this possible? Well, that’s where the Lazarus group’s expertise comes into play. They are able to compromise the servers that banks use to verify ATM transactions. Not all such servers are vulnerable, but there are plenty that haven’t been updated and, thus, cannot prevent such an attack. But, you might rightly ask, how did they get to these servers in the first place? That’s a good question and one for which cybersecurity researchers do not have a precise answer.

The attackers may send spear phishing emails that appear to come from a valid source. These emails may even contain an attached document which the victim expects to receive. They may use fake updates or apps packaged with malware. Or, like it or not, they may have an insider working for them. In fact, I can’t imagine this attack working without on-the-ground accomplices.

I make this last suggestion for a number of reasons. In order for this attack to work, the attacker first needs to open an account at a bank. Although it is possible to open an account without actually visiting a bank, it would not be easy, at least in the U.S. The attacker would need a lot of personal information and have access to valid documents. For example, in most cases in the U.S., they would need a Social Security Number, Tax ID Number, or equivalent, date of birth, and a government-issued ID (driver’s license, passport, U.S. military ID, etc.) number with the issue and expiration dates. In addition, they would need a home address, phone number, and email address. Add to this the fact that many banks ask for a minimal deposit to validate the account, and you could see that opening an account would be much easier in person. If the person was a citizen of the country the bank was in and had all the documentation, so much the better. There is another way Lazarus could open a bank account. Possibly, once on the bank’s network, they could manipulate data to create a valid account, but, as far as I know, there’s no evidence that this is what they do. Hence, working with an accomplice or a malicious insider is their best bet.

With a valid account will come the key to the whole operation; a credit or debit card. After all, the money they get will come directly from an ATM and the card would be needed to initiate the transaction. Keep in mind that the card was probably sent to a valid address and picked up by someone. Since the account will be valid, when the request for a withdrawal from an ATM is made, the malware in the validation server will trick the bank into approving the transaction and out comes the money.

It’s obvious that the Lazarus Group must have accomplices receiving cash at the compromised ATM machines. The person involved must not simply be a money mule. They cannot be naïve. They must know the PIN number used with the card, if such is required, and they would likely try to wear some sort of disguise to avoid being identified by any cameras associated with the ATM. In short, they would be active accomplices.

Once the card is verified, the information is sent to the bank’s servers, the ones that had previously been infected with FASTCash malware. FASTCash malware scans all incoming PANs (primary account numbers) looking for a set of numbers under its control. When it identifies a particular PAN, it sends a fraudulent request for approval to the bank server. Apparently, the malware is programmed to make the appropriate message adjustments that will get the approval of the bank whose network it has compromised.

It is also possible that Lazarus is active on the deep web. They may be buying stolen information and making their own credit cards accordingly. In this case, they are compromising accounts of regular customers who may then lose whatever funds they have in the bank.

In the past, the Lazarus group, generally believed to be working for the North Korean government, was more politically motivated. They would disrupt the infrastructure of South Korea or undertake cyber spying operations. However, this all changed with the stealing of $81 million from the Bangladesh Central Bank in 2016. Since then, financial hacks have been their main business. This may be because the sanctions against North Korea have forced them to find money any way they could. They were, for example, behind the WannaCry ransomware attacks in 2017. They have been continuously targeting banks.

In 2017, Lazarus used FASTCash to simultaneously withdraw cash from banks located in 30 different countries This year, they did the same with banks located in 23 different countries. These simultaneous operations had to have been precisely planned with the accomplices. It’s unclear why simultaneity was important to the attackers, unless they wanted to prevent the attacked banks from communicating with each other.

The banks attacked so far have been smaller banks in Asia and Africa. They probably didn’t have the most sophisticated cybersecurity infrastructure and likely did not use chip-and-PIN credit cards. But if the attackers had a legitimate account in a bank, they would get a legitimate credit card, chip-and-PIN or not.

So who is the sinister mastermind behind all of this mayhem? Apparently, this guy, Jin Hyok Park of North Korea.

lazarus hacker

Sure, he didn’t work alone but he messed up along the way giving up enough evidence to allow the U.S. Justice Department to file a 179 page indictment against him. Basically, this is a shot across the North Korean bow; “we’re watching you and we know what you’re doing.” It is unlikely that Park will ever see the inside of a courtroom let alone a jail cell. It is far more likely that the mistake that exposed him will send him to a work camp in North Korea.

However, such a stern warning will not come unanswered. The answer I expect would be one that compromised ATM machines in Europe and North America. I can think of no other reason why the DHS and FBI released their warning on FASTCash last month. They must consider FASTCash to be a real and impending threat against U.S. banks.

If you work in the banking sector, it is something to keep an eye on. Lazarus will continue to modify its FASTCash attack until it successfully compromises banks in the U.S. and Europe. Remember, these guys are good at what they do. If you’re just a person who uses an ATM to get cash, keep an eye on your bank statements for unauthorized withdrawals.If you see such activity, it could be proof that Lazarus has arisen.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s