FASTCash 2.0: U.S. Alerts North Korean Hackers Robbing Banks Around the World

North Korean hackers with the names of “BeagleBoyz” are robbing banks across the globe to obtain false money instructions and to make the ATMs to eject cash via remote internet access

CISA infrastructure security agency and the U.S. cybersecurity firm, along with the Department of the Treasury, the FBI, and the U.S. Cyber Command (USCYBERCOM), made a joint analytical effort on a cyber threat, regarding North Korean hackers robbing banks around the world.

The threat actors have been using the so-called spear-phishing attacks in which they use false email to attack a computer network. They also induce the victim directly to disclose a password or other data, and all other social engineering schemes.

Researchers believes that this group is linked with several other hacking groups like Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima.

They carried out false abuse of endangered bank-operated SWIFT system endpoints since 2015, and profitable cryptocurrency thefts. The bank robberies by the BeagleBoyz were acting as a severe operational risk for specific firms beyond reputational infliction and further financial loss from fraud and also from the recovery costs.

The BeagleBoyz also utilizes inadvertent banks, which include banks in the United States, for their SWIFT fraud scheme. It’s not clear, but according to the reports, the BeagleBoyz stole $81 million from the Bank of Bangladesh in 2016.

BeagleBoyz Activities

The team BeagleBoyz has been targeting attacks since 2014, said the reconnaissance General Bureau of North Korea. The BeagleBoyz administers well-planned, disciplined, and systematic cyber actions more related to accurate surveillance activities. Their all ill-disposed cyber operations have profited nearly hundreds of millions of U.S. dollars. And these are likely a major cause of funding for the North Korean administration.

This group always prefers a calculated approach, that allows them to clarify their methods, systems, and styles while circumventing detection. As time passes, all operations frequently become complicated and evil. They use the same tools that are complex, which manifest a sharp focus on effectiveness and operational security.

FASTCash

North Korea’s BeagleBoyz are accountable for all the complicated cyber-enabled ATM cash-out campaigns, and it was recognized openly as “FASTCash” in October 2018. The BeagleBoyz has executed the FASTCash scheme by attacking banks’ retail payment system infrastructure from the year 2016.

Moreover, the BeagleBoyz has made two main development in the campaign, and they are:- 

• The ability to administer the FASTCash scheme against banks by hosting their switch applications on Windows servers.
• An extension of the FASTCash campaign to attack interbank payment processors.

The BeagleBoyz attacked the switch applications at different banks with FASTCash malware but, now, they have attacked at least two local interbank payment processors. This implies the BeagleBoyz are investigating the upstream possibilities in the payment system.

Cryptocurrency Theft

Apart from this, they are not only focusing on ATM fraud, as they also execute cryptocurrency theft to steal massive amounts of cryptocurrency, which has a value of nearly millions of dollars per incident.

As per the advisory, the cryptocurrency grants the BeagleBoyz an immutable method of theft that can be later transformed into Money. The constant nature of cryptocurrency transfers does not provide for claw-back mechanisms.

Targeted Nations

The BeagleBoyz group have probably targeted the financial organizations in the subsequent nations from the year 2015 to 2020, and here are the countries:- 

• Argentina
• Brazil
• Bangladesh
• Bosnia and Herzegovina
• Bulgaria
• Chile
• Costa Rica
• Ecuador
• Ghana
• India
• Indonesia
• Japan
• Jordan
• Kenya
• Kuwait
• Malaysia
• Malta
• Mexico
• Mozambique
• Nepal
• Nicaragua
• Nigeria
• Pakistan
• Panama
• Peru
• Philippines
• Singapore
• South Korea
• South Africa
• Spain
• Taiwan
• Tanzania
• Togo
• Turkey
• Uganda
• Uruguay
• Vietnam
• Zambia

Bank Heist

The BeagleBoyz has always targeted financial organizations with ill-disposed cyber operations, and points to the details of end-to-end actions, which implies that their main targets are financial organizations.

Publicly Available Malicious Files Used by BeagleBoyz

The malicious files that are publicly available and used by the BeagleBoyz:-

• MD5: b484b0dff093f358897486b58266d069
• MD5: f34b72471a205c4eee5221ab9a349c55
• MD5: 4c26b2d0e5cd3bfe0a3d07c4b85909a4
• MD5: 52ec074d8cb8243976963674dd40ffe7
• MD5: d1d779314250fab284fd348888c2f955
• MD5: 41fd85ff44107e4604db2f00e911a766
• MD5: cf733e719e9677ebfbc84a3ab08dd0dc
• MD5: 01d397df2a1cf1d4c8e3615b7064856c

BeagleBoyz uses several kinds of techniques to obtain access to the financial organization’s network. They learned the topology to identify the key systems and monetize their path, and here are the methods used:-

• Malicious attachment is sent via email to a specific individual, company, or industry.
• In specific communities, industries, or regions, they compromise a website visited by the users.
• Find and exploit bugs in the computer systems connected to the internet.
• To bypass the access controls and gain administrative privileges, they steal the credentials.
• To exploit the trusted relationship, they target the organizations that have access to the victim’s organization.
• For inial access and remain active on the victim’s network, they use remote services.

Malicious Activities

The credential that are used by the team BeagleByz to get access to the network are mentioned below:-

• Obtain user input, like the keylogging, to get access to the credentials for legitimate accounts and data accumulation.
• Save account login and password data.
• Collect all the private keys from negotiated systems.
• Manage default, domain, local, and cloud records.
• Misapplication hooking to load and perform the ill-disposed code.
• Use brute force methods to try the account path when passwords are anonymous, or hashes are unavailable.

Impact

The BeagleBoyz has strongly monetized unauthorized access to financial organizations’ SWIFT terminals to allow wire fraud and obtain access to the organizations’ payment switch application servers, which enabled the fraudulent ATM cashouts. 

Here are the methods used to manage the business and operational plans for financial or destructive purposes:-

• Debased or wipe data storage, data structures, and Master Boot Records (MBR) to discontinue the network availability, services, and resources.
• Encrypt data on the victim’s systems and keep access to the decryption key until a price is paid.
• In the end, disable or execute services that are unavailable on a system to destroy the incident response.
• Enter, delete, or alter data at rest, in transition, or in use to manage outcomes, hide movement, and affect the business method.

Mitigations

The mitigations that are provided by the U.S. government are mentioned below:-

• Communicate with law enforcement, CISA, or Treasury directly to report any activity linked with BeagleBoyz.
• Keep an up-to-date antivirus and operating system.
• Disable file and printer sharing services
• Limit users’ ability to install and run undesired applications.
• Use a strong password.
• Allow a personal firewall on agency workstations.
• Monitor users’ web browsing practices.
• Practice caution while using removable media.

Security experts are working together and continually looking for possibilities to handle and limit harm from these types of cyber threats. Moreover, the U.S. Army prior suspected that North Korea controls as many as 6,000 qualified hackers, and there are many those based in other countries like China and India.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.