Threat Research

Joint Technical Alert - “FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks”

By Val Saengphaibul | August 27, 2020

Affected platforms:    Microsoft Windows
Impacted parties:       Windows Enterprise Users, specifically financial institutions
Impact:                       Interception of ISO 8583 Point of Sale (POS) system messages, ATM transaction requests, and ATM balance inquiries
Severity level:             Critical

Today, the United States Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Department of the Treasury (TREASURY), the Federal Bureau of Investigation (FBI), and U.S. Cyber Command (USCYBERCOM) released a Joint Technical Alert that has attributed malicious cyber activity to the North Korean government. The Technical Alert provides a detailed analysis of the North Korean government’s role in an automated teller machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks.” This blog will aim to provide a brief breakdown of the Joint Technical Alert and Malware Analysis Reports (MAR) published today by CISA. 

The MAR reports published today are: 

MAR-10301706-1.v1 – 4 samples (ECCENTRICBANDWAGON)

MAR-10301706-2.v1 – 6 samples (VIVACIOUSGIFT)

MAR-10257062-1.v2 – 3 samples (FASTCASH for Windows)

The Joint Technical Alert provides detailed insight for this latest campaign, while the separate Malware Analysis Reports contain detailed write-ups of samples used by the BeagleBoyz that were mentioned in today’s CISA Joint Technical Alert.

Background on the Joint Technical Alert

HIDDEN COBRA has been linked to multiple high-profile attacks that have caused massive infrastructure disruptions, as well as financially motivated attacks in various parts of the world. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that nearly netted close to $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, HIDDEN COBRA would have pulled off a heist unlike any other. Although HIDDEN COBRA failed in their attempt, they were still able to net around $81 million in total. The most recent—and most notable—attack attributed to HIDDEN COBRA was the Wannacry Ransomware attack, which resulted in massive disruption and damage worldwide to numerous organizations, especially manufacturers. Various estimates of the impact are in the hundreds of millions of dollars, with some estimates claiming billions. Other verticals which this group has targeted include critical infrastructures, as well as entertainment, finance, healthcare, and telecommunication sectors across multiple countries.

Meet the BeagleBoyz

"BeagleBoyz " is a newly identified group that is a subset of activity by the threat actors known as HIDDEN COBRA/LAZARUS/APT 38. BeagleBoyz has been active since 2014. According to estimates, the BeagleBoyz were responsible for attempting to steal nearly $2 billion (USD) from various financial institutions in a coordinated cash out attack in over 30 countries worldwide. The BeagleBoyz are now attributed by the United States government as being behind the $81 million heist from a financial institution in Bangladesh, whereas past reports had linked it to HIDDEN COBRA/LAZARUS activity. In addition, the BeagleBoyz have been linked to attacks in Africa and Chile since 2018.

The primary modus operandi of the BeagleBoyz is social engineering, spearphishing, and watering hole tactics. Contained within the Malware Analysis Reports (MAR) cited above are (13) unique malware samples that are a combination of remote access tools/trojans (RAT), a tunneling proxy tool, keylogger/screen capturing, and man in the middle attacks—all specifically targeting ISO 8583 Point of Sale (POS) system messages, ATM transaction requests, and ATM balance inquiries   

Sample Summaries

The malware family names attributed to the BeagleBoyz by CISA include: 

ECCENTRICBANDWAGON 

Contained within this report are four malicious DLL files that perform keystroke and screen logging. According to the MAR, all four of the ECCENTRICBANDWAGON samples are very similar to each other, with the main difference being where exfiltrated data (key logs and screenshots) is stored. In addition, some variants use RC4 encryption on specific strings within the portable executable (PE) file and conduct a cleanup of themselves, whereas some of the other files do not.

VIVACIOUSGIFT

Contained within this report are six malicious portable executable (PE) files. Files include network proxy tools that require an encrypted command line argument to retrieve various command and control network configurations for the source and destination IP address. The command line instruction can contain a source proxy IP, port, and password. The source proxy can also be used as an additional proxy when communicating with the source IP address. According to the MAR, other listed samples are very similar, with the main difference being 32-bit and 64-bit versions of the malware.

FASTCASH for Windows 

Contained within this report are two malicious portable executable (PE) files and one malicious DLL file. These files are (1) implant (DLL) that can inject itself into a remote Windows process, (1) command line utility (PE), and (1) infostealer/MITM file (PE). Within the first file is an encrypted info.dat file that contains preconfigured primary account numbers [PAN]. These most likely originated from and contained transactions of ATM machines. These numbers are used within the banking industry to help identify the financial institution of a card issuer. This sample contains two functions, including a DLL that is injected into a targeted process. This sample will then try and hook the Send and Recv function of the Windows API within the targeted process, which will then try to intercept x200" Financial Request Messages generated by ATM machines. Another observed functionality of this file is that it utilizes a blocklist of ATM transactions, which will be denied by the hook function. 

When the malware receives a request from an ATM, if it contains a PAN number already preconfigured in info.dat and it is not on the blocklist in “blk.dat”, the malware will respond by acknowledging the response and sending it to the ATM system to further confirm the transaction and to then hijack and withdraw money from the ATM machine.  If the transaction is hijacked and approved, the malware will log this transaction in an encrypted log file: suc.dat. The second file is a 32-bit malicious Windows DLL file that contains a command line utility that allows an attacker to inject a DLL into a remote process. 

The third file is a configuration file that contains a blocklist and multiple log files. According to the MAR, upon attaching to a process, the sample will decrypt the encrypted config from the configuration file and read it into memory. Next, it will hook the processes send and recv winAPIs and perform a MITM attack to check if specific metadata exists in the above log files. If it is not available, it will allow the metadata to pass through. Once the recv function is called, it checks to see if it is on port 7029. If it is, it will parse specific ISO8583 fields from the incoming datagram. It then checks for a predefined configuration file in the PAN. If it exists, it will allow it to pass. If it is on the blacklist, it will set REPONSE_CODE to 51, which is the code for insufficient funds.

Other malware families mentioned in this write up include the use of CROWDEDFLOUNDER (RAT), ELECTRICFISH (Tunnel Proxy), and HOPLIGHT (RAT). Further information about these malware families can be found in a previous blog and Threat Intelligence Brief.

Fortinet Protection

FortiGuard Labs deployed coverage to ensure protections were in place immediately after the announcement by the United States Cybersecurity and Infrastructure Security Agency (CISA). CISA, in coordination with the Cyber Threat Alliance (CTA), shared the samples ahead of the announcement with CTA partners to ensure that customers of CTA members were immediately protected in real time.

Customers running the latest definition sets are protected by the following (AV) signatures:

W32/Alreay.BG!tr 
W32/KeyLogger.BHFC!tr 
W32/Banker.ADRO!tr.spy 
W32/Alreay.A!tr 
W32/Agent.0D36!tr 
W64/Agent.AP!tr 
W32/Generic!tr 
W64/Banker.AX!tr.spy 
W32/Banker.ADRO!tr.bdr 
W64/Agent.AP!tr 
W32/Alreay.BB!tr
Riskware/Banker

Customers running the latest definition sets are protected by the following (IPS) signatures:

ElectricFish.Tunneling.Tool

APPENDIX

North Korean Malicious Cyber Activity

https://us-cert.cisa.gov/northkorea

HIDDEN COBRA – FASTCash Campaign

https://us-cert.cisa.gov/ncas/alerts/TA18-275A

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.