us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-S_UTNTH02.pdf (2 MB)

The FASTCash paper explains how a DPRK-nexus group abused ISO 8583 payment-switch messaging to force approval of fraudulent ATM withdrawals. FASTCash malware is injected into a bank payment switch process and hooks send and recv so attacker-controlled cards can receive forged approvals while normal transactions continue to pass through. The analyzed AIX variants use whitelisting and response-generation routines for withdrawals and balance inquiries, including randomized amounts and environment-specific ISO 8583 fields. A later Windows variant closely follows the AIX Type 2 logic but adds a working blacklist, additional request validation, support for private field 127, and a Turkish-lira balance response path.