FastCash 2.0

#FastCash2 • 2020-10

🇦🇷 Argentina, 🇧🇷 Brazil, 🇧🇩 Bangladesh, 🇧🇦 Bosnia and Herzegovina, 🇧🇬 Bulgaria, 🇨🇱 Chile, 🇨🇷 Costa Rica, 🇪🇨 Ecuador, 🇬🇭 Ghana, 🇮🇳 India, 🇮🇩 Indonesia, 🇯🇵 Japan, 🇯🇴 Jordan, 🇰🇪 Kenya, 🇰🇼 Kuwait, 🇲🇾 Malaysia, 🇲🇹 Malta, 🇲🇽 Mexico, 🇲🇿 Mozambique, 🇳🇵 Nepal, 🇳🇮 Nicaragua, 🇳🇬 Nigeria, 🇵🇰 Pakistan, 🇵🇦 Panama, 🇵🇪 Peru, 🇵🇭 Philippines, 🇸🇬 Singapore, 🇿🇦 South Africa, 🇰🇷 Korea, Republic of, 🇪🇸 Spain, 🇹🇼 Taiwan, 🇹🇿 Tanzania, United Republic of, 🇹🇬 Togo, 🇹🇷 Türkiye, 🇺🇬 Uganda, 🇺🇾 Uruguay, 🇻🇳 Viet Nam, 🇿🇲 Zambia

CISA, Treasury, FBI, and USCYBERCOM attributed FASTCash 2.0 ATM cash-out activity to North Korea's BeagleBoyz, a HIDDEN COBRA subset overlapping with Lazarus, APT38, Bluenoroff, and Stardust Chollima. The campaign targeted financial institutions and payment switch infrastructure, expanding from Unix-like switch servers to Windows-hosted switch applications and interbank payment processors while using spear-phishing, watering holes, public-facing exploitation, credential theft, lateral movement, destructive anti-forensics, proxy tunneling, and FASTCash-related malware.

Related Actors

Related Reports

2020-08-26
USCISA
#BeagleBoyz #FASTCash2 #T1082 #T1119 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1020 #T1560 #T1115 #T1083 #T1036 #T1027 #T1071 #T1548.003 #T1204 #T1057 #T1059.005 #T1518.001 #T1566.001 #T1547.001 #T1059.001 #T1053 #T1132.001 #T1102 #T1059 #T1199 #T1105 #T1219 #T1055 #T1553.002 #T1552.004 #T1562.001 #T1486 #T1129 #T1489 #T1078 #T1133 #T1053.003 #T1190 #T1203 #T1189 #T1049 #T1098 #T1087 #T1016 #T1070.006 #T1021.001 #T1574.001 #T1217 #T1106 #T1573 #T1095 #T1056 #T1010 #T1021.002 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1110 #T1561.002 #T1202 #T1070.003 #T1565.001 #T1021 #T1505.003 #T1027.005 #T1056.004 #T1218.001 #T1562.003 #T1014 #T1053.004 #T1101 #T1565.002 #T1565.003 #T1562.006
« Back