Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Hidden Cobra. Show all posts

North Korean Hackers Develop Linux Variant of FASTCash Malware Targeting Financial Systems

 

A new Linux variant of FASTCash malware has surfaced, targeting the payment switch systems of financial institutions. North Korean hackers, linked to the Hidden Cobra group, have expanded their cyber arsenal to now include Ubuntu 22.04 LTS distributions. Previously, the malware targeted Windows and IBM AIX systems. These payment switches route transactions between ATMs and banks, and the malware intercepts ISO8583 messages, modifying transaction responses from “decline” to “approve.” This manipulation authorizes fraudulent cash withdrawals through money mules. The discovery, made by security researcher HaxRob, revealed the Linux variant’s ability to bypass security tools, as it was first submitted to VirusTotal in June 2023 with no detection. 

It operates by injecting a shared library into a running process on the payment switch server using the ‘ptrace’ system call. FASTCash’s history of ATM cash-out attacks dates back to 2016, with incidents stealing tens of millions of dollars across multiple countries. The U.S. Cyber Command in 2020 attributed these schemes to APT38, part of the Lazarus Group. North Korea’s involvement in global financial theft is well-documented, with the theft of over $1.3 billion linked to this malware and other campaigns. The Linux variant’s ability to evade standard defenses puts financial institutions at heightened risk. Its discovery emphasizes the evolving tactics of North Korean cyber actors, who are continually refining malware to expand their reach. 

HaxRob also noted a new Windows version of FASTCash, submitted in September 2024, demonstrating the ongoing development of this malware. To mitigate this growing threat, financial institutions must strengthen security around payment switch systems, implement real-time monitoring of unusual transaction patterns, and upgrade defenses to detect advanced attack techniques like FASTCash. 

As North Korean hackers continue to develop sophisticated malware variants, financial organizations must prioritize protecting against this persistent threat to prevent unauthorized cash withdrawals and financial losses.

US Agencies Publish Advisory on North Korean Cryptocurrency Malware, AppleJeus

 

The Federal Bureau of Investigation (FBI) jointly with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, released an advisory on North Korea's cyber-threat to cryptocurrency and on suggestions for mitigating. 

Operated with the US government allies, FBI, CISA and the Treasury assess that, Lazarus Group –advanced persistent threat (APT) actors assisted by these agencies in North Korea is targeting the consumers and firms through the dissemination of cryptocurrency trading apps, including crypto-currency exchange and financial service providers, that have been updated to cover. 

“This advisory marks another step by the U.S. Government to counter the ongoing and criminal North Korean global cryptocurrency theft scheme targeting finance, energy, and other sectors,” said CISA Acting Executive Assistant Director of Cybersecurity Matt Hartman. “The FBI, Treasury, and CISA continue to assess the evolving cyber threat posed by North Korea, cybercriminals, and other nation-state actors and are committed to providing organizations timely information and mitigations to combat these threats.” 

In the last year alone, these cyber actors attacked organizations for cryptocurrency theft, in more than 30 nations. These actors would undoubtedly see amended cryptocurrency trade applications as a way of bypassing North Korea's foreign sanctions—applications that allow them to gain access to cryptocurrency exchanges and loot cryptocurrency cash from victims' accounts. 

The US government refers to the North Korean Government's malicious cyber activity as HIDDEN COBRA. Malware and indicators of compromise (IOCs) have been identified by the United States Government to facilitate North Korean cryptocurrency robbery, which is called "AppleJeus" by the Cyber Security community. 

Although the malware was first found in 2018, North Korea has used several versions of AppleJeus. In the first place, HIDDEN COBRA actors used websites that seemed to host genuine cryptocurrency trading platforms, but these actors seem to be using other infection feature vectors, such as phishing, social networking, and social engineering, to get users to download the malware and to infect victims with AppleJeus. They are also using other infection vectors. Active AppleJeus Malware agencies in several areas, including energy, finances, government, industry, technology, and telecommunications, were targeted by HIDDEN COBRA actors. 

Ever since it was discovered, several variants of AppleJeus were found in the wild. Most of them are supplied as relatively simple applications from attacker-controlled websites that resemble legitimate cryptocurrency exchange sites and firms. 

“It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea — the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts,” states the report. 

If consumers perceive that they have been affected by AppleJeus, the findings suggest victims creating new keys or transferring funds from corrupted crypto wallets, expelling hosts, running anti-malware tests on tainted devices, and notifying the FBI, CISA, or treasury.

Hackers Attack Online Stores Stealing Credit Card Data, Experts Allege North Korea


According to the recent findings, there has been an incident of web skimming attacks on the European and American online store websites. The hackers responsible for the attacks are likely to be state-sponsored from North Korea. Research conducted by cybersecurity experts at Sansec reveals that the web skimming attacks that broke into the online retail stores started in May 2019. APT Lazarus and Hidden Cobra hacking groups were responsible for the attacks, planting payment skimmers to breach the security.



According to the new research, the hackers have now increased their activities. They have now set a larger target area and attack online stores using a skimming script, which steals the customer's banking credentials during the checkout stage. The researchers from Sansec claim that the attacks were carried out by Hidden Cobra because a similar hacking pattern was used in their previous attacks.

What is Magecart Attack? 
It is a web skimming attack in which hackers can steal banking credentials from the user and credit card details. However, in this incident, Hidden Cobra, after gaining access, launched a large scale attack on big online retail stores. Once hackers have unauthorized access, they deploy fake scripts on the websites' checkout pages. The skimmer then stores all the credentials that the user types during the checkout stage and sends it to the main Hidden Cobra servers. According to Sances data, in millions of online stores, up to 100 stores' websites are compromised on an average every day.

"To monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network utilizes legitimate sites that were hijacked and repurposed to serve as disguises for criminal activity. The system is also used to funnel the stolen assets so that they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, including a modeling agency8 from Milan, a vintage music store9 from Tehran, and a family-run book store10 from New Jersey," says the Sansec report. Experts have now linked various attacks since 2019 to Hidden Cobra, say that the threat actors are very likely to be state-sponsored.

US issues warning against malware 'Electricfish' linked with North Korea








The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint security warning about a new malware called "Electricfish,’’ which is allegedly linked to a state-sponsored North Korean cyberattack group.

The investigators uncovered the malware while they were tracking the activities of Hidden Cobra, it is believed that the group is sponsored by the North Korean government. 

The warning released by the US Computer Emergency Readiness Team on Thursday says that the malware is a 32-bit Windows executable program. After reverse engineering the sample, the malware was found to contain a custom protocol which permits traffic to be funneled between source and destination IP addresses.

‘’The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) addressaa. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.’’

‘’The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network,’’ read warning. 


The whole list of Indicators of Compromise (IOC) for Electricfish can be downloaded here