FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud
Contents
FASTCash and Associated Intrusion Techniques
By Kevin Perlow
Key Points
ISO 8583 is a standard that applies to card payments and provides a common set of data fields
and a common format for these fields during these financial transactions.
Since at least 2018, a DPRK-nexus threat group has used malware that incorporates this
standard to perform large-scale fraudulent cash withdrawals against a small group of victims.
Public reporting refers to this technique – and the malware used to carry it out – as FASTCash.
Executive Summary
1
Since at least 2016, a DPRK-nexus threat group has conducted financially-motived intrusions against
companies within or associated with the banking sector. Traditionally, these attacks have involved
complicated, long-term workflows and culminate in large SWIFT transactions to threat group-owned
accounts held at other banks.
Since 2018 – and possibly as early as 2016 – this threat group has also conducted a novel type of attack
in which it injected malware into a bank’s payment switch, forcing it to approve …
By Kevin Perlow
Key Points
ISO 8583 is a standard that applies to card payments and provides a common set of data fields
and a common format for these fields during these financial transactions.
Since at least 2018, a DPRK-nexus threat group has used malware that incorporates this
standard to perform large-scale fraudulent cash withdrawals against a small group of victims.
Public reporting refers to this technique – and the malware used to carry it out – as FASTCash.
Executive Summary
1
Since at least 2016, a DPRK-nexus threat group has conducted financially-motived intrusions against
companies within or associated with the banking sector. Traditionally, these attacks have involved
complicated, long-term workflows and culminate in large SWIFT transactions to threat group-owned
accounts held at other banks.
Since 2018 – and possibly as early as 2016 – this threat group has also conducted a novel type of attack
in which it injected malware into a bank’s payment switch, forcing it to approve …
IoC
3122b0130f5135b6f76fca99609d5cbe
34404a3fb9804977c6ab86cb991fb130
46b318bbb72ee68c9d9183d78e79fb5a
4c26b2d0e5cd3bfe0a3d07c4b85909a4
7c651d115109fd8f35fddfc44fd24518
89081f2e14e9266de8c042629b764926
a042e53edd734b6a96ef9ab82bec8193
a38c1e24eaf34c944c11d9968427c74b3412a2c1e82e31551cabd7d3e213bf31
a827d598b4d13005526839473f38a01b
b12325a1e6379b213d35def383da2986
b3efec620885e6cf5b60f72e66d908a9
b484b0dff093f358897486b58266d069
b9ad0cc2a2e0f513ce716cdf037da907
c4141ee8e9594511f528862519480d36
d13c15016b5ea2a88434d427bb47110d
d1d779314250fab284fd348888c2f955
d45931632ed9e11476325189ccb6b530
d790997dd950bb39229dc5bd3c2047ff
34404a3fb9804977c6ab86cb991fb130
46b318bbb72ee68c9d9183d78e79fb5a
4c26b2d0e5cd3bfe0a3d07c4b85909a4
7c651d115109fd8f35fddfc44fd24518
89081f2e14e9266de8c042629b764926
a042e53edd734b6a96ef9ab82bec8193
a38c1e24eaf34c944c11d9968427c74b3412a2c1e82e31551cabd7d3e213bf31
a827d598b4d13005526839473f38a01b
b12325a1e6379b213d35def383da2986
b3efec620885e6cf5b60f72e66d908a9
b484b0dff093f358897486b58266d069
b9ad0cc2a2e0f513ce716cdf037da907
c4141ee8e9594511f528862519480d36
d13c15016b5ea2a88434d427bb47110d
d1d779314250fab284fd348888c2f955
d45931632ed9e11476325189ccb6b530
d790997dd950bb39229dc5bd3c2047ff