SYMBOLCOMMON_NAMEaka. SYNONYMS
aix.fastcash (Back to overview)

FastCash

Actor(s): Lazarus Group

There is no description at this point.

References
2022-04-18CISACISA, U.S. Department of the Treasury, FBI
@techreport{cisa:20220418:aa22108a:a0a81c6, author = {CISA and U.S. Department of the Treasury and FBI}, title = {{AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)}}, date = {2022-04-18}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf}, language = {English}, urldate = {2022-04-20} } AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)
FastCash Bankshot
2021-02-26YouTube (Black Hat)Kevin Perlow
@online{perlow:20210226:fastcash:2daf61f, author = {Kevin Perlow}, title = {{FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud}}, date = {2021-02-26}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=zGvQPtejX9w}, language = {English}, urldate = {2021-03-04} } FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud
FastCash
2020-12-09CrowdStrikeJosh Burgess, Jason Rivera
@techreport{burgess:20201209:from:1811e9c, author = {Josh Burgess and Jason Rivera}, title = {{From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower}}, date = {2020-12-09}, institution = {CrowdStrike}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf}, language = {English}, urldate = {2020-12-11} } From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower
FastCash Hermes WannaCryptor
2020-08-26CISACISA, U.S. Department of the Treasury, FBI, U.S. Cyber Command
@online{cisa:20200826:alert:91b063b, author = {CISA and U.S. Department of the Treasury and FBI and U.S. Cyber Command}, title = {{Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks}}, date = {2020-08-26}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa20-239a}, language = {English}, urldate = {2022-04-20} } Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks
FastCash
2020-08-05BlackHatKevin Perlow
@techreport{perlow:20200805:fastcash:5e6b73a, author = {Kevin Perlow}, title = {{FASTCash and Associated Intrusion Techniques}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf}, language = {English}, urldate = {2020-08-14} } FASTCash and Associated Intrusion Techniques
FastCash
2020-08-05BlackHatKevin Perlow
@techreport{perlow:20200805:fastcashand:301d8ce, author = {Kevin Perlow}, title = {{FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf}, language = {English}, urldate = {2020-08-14} } FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud
FastCash
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-05-30Talos IntelligenceVanja Svajcer
@online{svajcer:20190530:10:82553e1, author = {Vanja Svajcer}, title = {{10 years of virtual dynamite: A high-level retrospective of ATM malware}}, date = {2019-05-30}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html}, language = {English}, urldate = {2019-11-24} } 10 years of virtual dynamite: A high-level retrospective of ATM malware
FastCash Project Alice Cutlet Ploutus ATM Skimer Tyupkin
2019-01-23NSHC RedAlert LabsThreatRecon Team
@online{team:20190123:sectora01:963118e, author = {ThreatRecon Team}, title = {{SectorA01 Custom Proxy Utility Tool Analysis}}, date = {2019-01-23}, organization = {NSHC RedAlert Labs}, url = {https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/}, language = {English}, urldate = {2019-10-18} } SectorA01 Custom Proxy Utility Tool Analysis
FastCash
2018-12-31Github RepositoryFrank Boldewin
@online{boldewin:20181231:fastcashmalwaredissected:d72e332, author = {Frank Boldewin}, title = {{FastCashMalwareDissected}}, date = {2018-12-31}, organization = {Github Repository}, url = {https://github.com/fboldewin/FastCashMalwareDissected/}, language = {English}, urldate = {2019-07-10} } FastCashMalwareDissected
FastCash
2018-11-08SymantecSecurity Response Attack Investigation Team
@online{team:20181108:fastcash:ee26edb, author = {Security Response Attack Investigation Team}, title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}}, date = {2018-11-08}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware}, language = {English}, urldate = {2022-05-03} } FASTCash: How the Lazarus Group is Emptying Millions from ATMs
FastCash Lazarus Group
2018-11-08SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181108:fastcash:acf8e38, author = {Critical Attack Discovery and Intelligence Team}, title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}}, date = {2018-11-08}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware}, language = {English}, urldate = {2020-04-21} } FASTCash: How the Lazarus Group is Emptying Millions from ATMs
FastCash Lazarus Group
2018-10-02US-CERTUS-CERT
@online{uscert:20181002:alert:c29ba37, author = {US-CERT}, title = {{Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign}}, date = {2018-10-02}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-275A}, language = {English}, urldate = {2020-01-13} } Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign
FastCash
2018-10-02CISADepartment of Homeland Security (DHS), Department of the Treasury (Treasury), FBI
@online{dhs:20181002:alert:6e24ac4, author = {Department of Homeland Security (DHS) and Department of the Treasury (Treasury) and FBI}, title = {{Alert (TA18-275A): HIDDEN COBRA – FASTCash Campaign}}, date = {2018-10-02}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/TA18-275A}, language = {English}, urldate = {2022-04-20} } Alert (TA18-275A): HIDDEN COBRA – FASTCash Campaign
FastCash
Yara Rules
[TLP:WHITE] aix_fastcash_w0 (20181219 | HIDDEN COBRA AIX FastCash process injection tool)
rule aix_fastcash_w0 {
  meta:
    author = "Paul Melson @pmelson"
    description = "HIDDEN COBRA AIX FastCash process injection tool"
    reference = "https://www.us-cert.gov/ncas/alerts/TA18-275A"
    reference = "https://github.com/fboldewin/FastCashMalwareDissected/"
    hash = "d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash"
    malpedia_version = "20181219"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $file_eng64 = "/tmp/.ICE-unix/TMPENG%X.dat"
    $file_config = "/tmp/.ICE-unix/config_%d"
    $file_dumpfile = "/tmp/.ICE-unix/DUMP%X.dat"
    $msg0 = "[proc_writememory] ret=%d, err=%d(%s), addr=%p, len=%d, data=%p"
    $msg1 = "[main] Inject Start"
    $msg2 = "[main] SAVE REGISTRY"
    $msg3 = "[main] proc_readmemory fail"
    $msg4 = "[main] Exec func(%llX) OK"
    $msg5 = "[main] Exec func(%llX) fail ret=%X"
    $msg6 = "[main] Inject OK(%llX)"
    $msg7 = "[main] Inject fail ret=%llX"
    $msg8 = "[main] Eject OK"
    $msg9 = "[main] Eject fail ret=%llX"
    $symbol00 = "_GLOBAL__FI_eng64"
    $symbol01 = "_GLOBAL__FD_eng64"
    $symbol02 = "proc_attach"
    $symbol03 = "proc_detach"
    $symbol04 = "proc_continue"
    $symbol05 = "proc_wait"
    $symbol06 = "proc_fault"
    $symbol07 = "proc_getregs"
    $symbol08 = "proc_setregs"
    $symbol09 = "proc_readmemory"
    $symbol10 = "proc_writememory"
    $symbol11 = "inject"
    $symbol12 = "_$STATIC"
    $source0 = "/tmp//cchXKsHV.c"
    $source1 = "/tmp/tmp/eng64.c"
  condition:
    uint16(0) == 0xf701 and (all of ($file*) or all of ($msg*) or all of ($symbol*) or all of ($source*))
}
[TLP:WHITE] aix_fastcash_w1 (20181219 | HIDDEN COBRA AIX FastCash ISO8583 module (may not be malicious, low attribution confidence))
rule aix_fastcash_w1 {
  meta:
    author = "Paul Melson @pmelson"
    description = "HIDDEN COBRA AIX FastCash ISO8583 module (may not be malicious, low attribution confidence)"
    reference = "https://www.us-cert.gov/ncas/alerts/TA18-275A"
    reference = "https://github.com/fboldewin/FastCashMalwareDissected/"
    hash = "3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c"
    hash = "ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c"
    hash = "10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash"
    malpedia_version = "20181219"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $symbol0 = "msg_to_file"
    $symbol1 = "msg_to_file_recv"
    $symbol2 = "msg_to_file_send"
    $symbol3 = "DetourInitFunc"
    $symbol4 = "DetourAttach"
    $symbol5 = "DetourDetach"
    $symbol6 = "CheckPan"
    $symbol7 = "BlacklistCheck"
    $aschex0 = "DL_ASCHEX_TO_UINT32"
    $aschex1 = "DL_UINT32_TO_ASCHEX"
    $aschex2 = "_pack_iso_ASCHEX"
    $aschex3 = "_unpack_iso_ASCHEX"
    $iso00 = "DL_ISO8583_MSG_Init"
    $iso01 = "DL_ISO8583_MSG_Free"
    $iso02 = "DL_ISO8583_MSG_SetField_Str"
    $iso03 = "DL_ISO8583_MSG_SetField_Bin"
    $iso04 = "DL_ISO8583_MSG_RemoveField"
    $iso05 = "DL_ISO8583_MSG_HaveField"
    $iso06 = "DL_ISO8583_MSG_GetField_Str"
    $iso07 = "DL_ISO8583_MSG_GetField_Bin"
    $iso08 = "DL_ISO8583_MSG_Pack"
    $iso09 = "DL_ISO8583_MSG_Unpack"
    $iso10 = "_DL_ISO8583_MSG_AllocField"
    $iso11 = "DL_ISO8583_COMMON_SetHandler"
    $iso12 = "DL_ISO8583_DEFS_1987_GetHandler"
    $iso13 = "DL_ISO8583_DEFS_1993_GetHandler"
    $iso14 = "_DL_ISO8583_FIELD_Pack"
    $iso15 = "_DL_ISO8583_FIELD_Unpack"
    $iso16 = "DL_ISO8583_MSG_Dump"
    $iso17 = "_iso8583_1987_fields"
    $iso18 = "_iso8583_1993_fields"
  condition:
    uint16(0) == 0xf701 and (all of ($symbol*) or all of ($aschex*) or all of ($iso*))
}
[TLP:WHITE] aix_fastcash_w2 (20181219 | HIDDEN COBRA AIX FastCash pvpa binary (may not be malicious, low attribution confidence))
rule aix_fastcash_w2 {
  meta:
    author = "Paul Melson @pmelson"
    description = "HIDDEN COBRA AIX FastCash pvpa binary (may not be malicious, low attribution confidence)"
    reference = "https://www.us-cert.gov/ncas/alerts/TA18-275A"
    reference = "https://github.com/fboldewin/FastCashMalwareDissected/"
    hash = "f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash"
    malpedia_version = "20181219"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $symbol_static = { 00 5f 24 53 54 41 54 49 43 00 }
    $symbol_pvpa = { 00 00 00 00 70 76 70 61 00 00 00 00 }
    $symbol_get_pvpa = { 00 2e 67 65 74 5f 70 76 70 61 00 }
    $symbol_get_posn = { 00 2e 73 65 74 5f 70 6f 73 6e 00 }
    $symbol_init_pvpa = { 00 2e 69 6e 69 74 5f 70 76 70 61 00 }
    $string0 = "/dev/mem"
    $string1 = "set_posn"
    $string2 = "get_pvpa"
    $string3 = "init_pvpa"
    $string4 = "high_cpuid=%d"
    $string5 = "open kernel mem"
    $string6 = "cpu %d, old value = 0x%02x"
    $string7 = "Usage: pvpa [<new_value> <old_value>]"
    $string8 = "Invalid PVPA read, magic = 0x%08x, len = %d, cpu = %d"
  condition:
    uint16(0) == 0xf701 and (all of ($symbol*) or all of ($string*))
}
Download all Yara Rules