SYMBOLCOMMON_NAMEaka. SYNONYMS
aix.fastcash (Back to overview)

FastCash

Actor(s): Lazarus Group


There is no description at this point.

References
2020-08-05BlackHatKevin Perlow
@techreport{perlow:20200805:fastcash:5e6b73a, author = {Kevin Perlow}, title = {{FASTCash and Associated Intrusion Techniques}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf}, language = {English}, urldate = {2020-08-14} } FASTCash and Associated Intrusion Techniques
FastCash
2020-08-05BlackHatKevin Perlow
@techreport{perlow:20200805:fastcashand:301d8ce, author = {Kevin Perlow}, title = {{FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf}, language = {English}, urldate = {2020-08-14} } FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud
FastCash
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-05-30Talos IntelligenceVanja Svajcer
@online{svajcer:20190530:10:82553e1, author = {Vanja Svajcer}, title = {{10 years of virtual dynamite: A high-level retrospective of ATM malware}}, date = {2019-05-30}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html}, language = {English}, urldate = {2019-11-24} } 10 years of virtual dynamite: A high-level retrospective of ATM malware
FastCash Project Alice Cutlet Ploutus ATM Skimer Tyupkin
2019-01-23NSHC RedAlert LabsThreatRecon Team
@online{team:20190123:sectora01:963118e, author = {ThreatRecon Team}, title = {{SectorA01 Custom Proxy Utility Tool Analysis}}, date = {2019-01-23}, organization = {NSHC RedAlert Labs}, url = {https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/}, language = {English}, urldate = {2019-10-18} } SectorA01 Custom Proxy Utility Tool Analysis
FastCash
2018-12-31Github RepositoryFrank Boldewin
@online{boldewin:20181231:fastcashmalwaredissected:d72e332, author = {Frank Boldewin}, title = {{FastCashMalwareDissected}}, date = {2018-12-31}, organization = {Github Repository}, url = {https://github.com/fboldewin/FastCashMalwareDissected/}, language = {English}, urldate = {2019-07-10} } FastCashMalwareDissected
FastCash
2018-11-08SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181108:fastcash:acf8e38, author = {Critical Attack Discovery and Intelligence Team}, title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}}, date = {2018-11-08}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware}, language = {English}, urldate = {2020-04-21} } FASTCash: How the Lazarus Group is Emptying Millions from ATMs
FastCash Lazarus Group
2018-10-02US-CERTUS-CERT
@online{uscert:20181002:alert:c29ba37, author = {US-CERT}, title = {{Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign}}, date = {2018-10-02}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-275A}, language = {English}, urldate = {2020-01-13} } Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign
FastCash
Yara Rules
[TLP:WHITE] aix_fastcash_w0 (20181219 | HIDDEN COBRA AIX FastCash process injection tool)
rule aix_fastcash_w0 {
  meta:
    author = "Paul Melson @pmelson"
    description = "HIDDEN COBRA AIX FastCash process injection tool"
    reference_0 = "https://www.us-cert.gov/ncas/alerts/TA18-275A"
    reference_1 = "https://github.com/fboldewin/FastCashMalwareDissected/"
    sample_sha256 = "d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash"
    malpedia_version = "20181219"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $file_eng64 = "/tmp/.ICE-unix/TMPENG%X.dat"
    $file_config = "/tmp/.ICE-unix/config_%d"
    $file_dumpfile = "/tmp/.ICE-unix/DUMP%X.dat"
    $msg0 = "[proc_writememory] ret=%d, err=%d(%s), addr=%p, len=%d, data=%p"
    $msg1 = "[main] Inject Start"
    $msg2 = "[main] SAVE REGISTRY"
    $msg3 = "[main] proc_readmemory fail"
    $msg4 = "[main] Exec func(%llX) OK"
    $msg5 = "[main] Exec func(%llX) fail ret=%X"
    $msg6 = "[main] Inject OK(%llX)"
    $msg7 = "[main] Inject fail ret=%llX"
    $msg8 = "[main] Eject OK"
    $msg9 = "[main] Eject fail ret=%llX"
    $symbol00 = "_GLOBAL__FI_eng64"
    $symbol01 = "_GLOBAL__FD_eng64"
    $symbol02 = "proc_attach"
    $symbol03 = "proc_detach"
    $symbol04 = "proc_continue"
    $symbol05 = "proc_wait"
    $symbol06 = "proc_fault"
    $symbol07 = "proc_getregs"
    $symbol08 = "proc_setregs"
    $symbol09 = "proc_readmemory"
    $symbol10 = "proc_writememory"
    $symbol11 = "inject"
    $symbol12 = "_$STATIC"
    $source0 = "/tmp//cchXKsHV.c"
    $source1 = "/tmp/tmp/eng64.c"
  condition:
    uint16(0) == 0xf701 and (all of ($file*) or all of ($msg*) or all of ($symbol*) or all of ($source*))
}
[TLP:WHITE] aix_fastcash_w1 (20181219 | HIDDEN COBRA AIX FastCash ISO8583 module (may not be malicious, low attribution confidence))
rule aix_fastcash_w1 {
  meta:
    author = "Paul Melson @pmelson"
    description = "HIDDEN COBRA AIX FastCash ISO8583 module (may not be malicious, low attribution confidence)"
    reference_0 = "https://www.us-cert.gov/ncas/alerts/TA18-275A"
    reference_1 = "https://github.com/fboldewin/FastCashMalwareDissected/"
    sample_sha256_0 = "3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c"
    sample_sha256_1 = "ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c"
    sample_sha256_2 = "10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash"
    malpedia_version = "20181219"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $symbol0 = "msg_to_file"
    $symbol1 = "msg_to_file_recv"
    $symbol2 = "msg_to_file_send"
    $symbol3 = "DetourInitFunc"
    $symbol4 = "DetourAttach"
    $symbol5 = "DetourDetach"
    $symbol6 = "CheckPan"
    $symbol7 = "BlacklistCheck"
    $aschex0 = "DL_ASCHEX_TO_UINT32"
    $aschex1 = "DL_UINT32_TO_ASCHEX"
    $aschex2 = "_pack_iso_ASCHEX"
    $aschex3 = "_unpack_iso_ASCHEX"
    $iso00 = "DL_ISO8583_MSG_Init"
    $iso01 = "DL_ISO8583_MSG_Free"
    $iso02 = "DL_ISO8583_MSG_SetField_Str"
    $iso03 = "DL_ISO8583_MSG_SetField_Bin"
    $iso04 = "DL_ISO8583_MSG_RemoveField"
    $iso05 = "DL_ISO8583_MSG_HaveField"
    $iso06 = "DL_ISO8583_MSG_GetField_Str"
    $iso07 = "DL_ISO8583_MSG_GetField_Bin"
    $iso08 = "DL_ISO8583_MSG_Pack"
    $iso09 = "DL_ISO8583_MSG_Unpack"
    $iso10 = "_DL_ISO8583_MSG_AllocField"
    $iso11 = "DL_ISO8583_COMMON_SetHandler"
    $iso12 = "DL_ISO8583_DEFS_1987_GetHandler"
    $iso13 = "DL_ISO8583_DEFS_1993_GetHandler"
    $iso14 = "_DL_ISO8583_FIELD_Pack"
    $iso15 = "_DL_ISO8583_FIELD_Unpack"
    $iso16 = "DL_ISO8583_MSG_Dump"
    $iso17 = "_iso8583_1987_fields"
    $iso18 = "_iso8583_1993_fields"
  condition:
    uint16(0) == 0xf701 and (all of ($symbol*) or all of ($aschex*) or all of ($iso*))
}
[TLP:WHITE] aix_fastcash_w2 (20181219 | HIDDEN COBRA AIX FastCash pvpa binary (may not be malicious, low attribution confidence))
rule aix_fastcash_w2 {
  meta:
    author = "Paul Melson @pmelson"
    description = "HIDDEN COBRA AIX FastCash pvpa binary (may not be malicious, low attribution confidence)"
    reference_0 = "https://www.us-cert.gov/ncas/alerts/TA18-275A"
    reference_1 = "https://github.com/fboldewin/FastCashMalwareDissected/"
    sample_sha256 = "f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash"
    malpedia_version = "20181219"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $symbol_static = { 00 5f 24 53 54 41 54 49 43 00 }
    $symbol_pvpa = { 00 00 00 00 70 76 70 61 00 00 00 00 }
    $symbol_get_pvpa = { 00 2e 67 65 74 5f 70 76 70 61 00 }
    $symbol_get_posn = { 00 2e 73 65 74 5f 70 6f 73 6e 00 }
    $symbol_init_pvpa = { 00 2e 69 6e 69 74 5f 70 76 70 61 00 }
    $string0 = "/dev/mem"
    $string1 = "set_posn"
    $string2 = "get_pvpa"
    $string3 = "init_pvpa"
    $string4 = "high_cpuid=%d"
    $string5 = "open kernel mem"
    $string6 = "cpu %d, old value = 0x%02x"
    $string7 = "Usage: pvpa [<new_value> <old_value>]"
    $string8 = "Invalid PVPA read, magic = 0x%08x, len = %d, cpu = %d"
  condition:
    uint16(0) == 0xf701 and (all of ($symbol*) or all of ($string*))
}
Download all Yara Rules