Payday Lender – HIDDEN COBRA and FASTCash

A new advisory was issued by the US Department of Homeland Security (DHS) and US-CERT for Hidden Cobra.  This is the latest advisory in a string of advisories related to Hidden Cobra.  What is unique is that this is the first advisory from US-CERT related to automated teller machine (ATM) attacks, for what they refer to as an ATM cash-out scheme which is officially named, "FASTCash."  

 Hacker News

A confidential government source estimates Hidden Cobra actor have stolen tens of millions of dollars.  In one incident in 2017, Hidden Cobra actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, Hidden Cobra actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.  Hidden Cobra is also known as the Lazarus Group, which is credited with the Sony Pictures attack in 2014, and various other notable attacks such as the Bangladeshi cyber heist (2016) of a bank, which netted $81 million.  

According to US-CERT, FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.  According to the advisory, Hidden Cobra actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals across national borders.  Hidden Cobra actors have configured and deployed legitimate scripts on compromised switch application servers in order to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages.  The infection vector at this time is unknown.  

Publicly available samples are Windows-related (signed and revoked and unsigned) and associated data files are not malicious by themselves.  The Windows-related files contain two types, one a Trojan downloader that downloads an encrypted payload.  The payload was not available for further analysis.  The second Windows-related file is a proxy-related module that intercepts traffic and can modify the Windows firewall and force the victim machine to act as a proxy server.

Other notable functions:

  • Retrieve information about the logon sessions, drives installed, and operating system Search for files
  • Execute processes -Terminate processes
  • Delete files
  • Execute commands
  • Download and upload files
  • Read files
  • Write files
  • Compress and decompress files

Signatures: W32/NukeSped.AA!tr, W32/NukeSped.AK!tr

Past Reporting:

Lazarus Group TTP Used Against Global Govt Financial, PIR-006-2017, dtd 24 March 2017
Lazarus Group Update, TR-18-150-001, dtd 25 May 2018

For questions, comments or assistance regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com

Please join us every Friday morning for a rebroadcast of our Weekly Red Sky Alliance Threat Brief, a succinct summary of current threat activities designed to inform your decision-making. Listen in on what our Wapack Labs analysts have been working on. (edited)

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!