Keypoints
- Linux variant compiled for Ubuntu 20.04 (GCC 11.3.0), expanding FASTCash coverage beyond AIX and Windows.
- Implemented as a shared library (libMyFc.so) injected into processes via ptrace and hooking glibc’s recv to intercept traffic.
- Parses ISO8583 messages expecting a 2‑byte message length followed by a 5‑byte TPDU, using the Oscar‑ISO8583 library to unpack messages.
- Decrypts /tmp/info.dat (AES‑128‑CBC, key W7SLFSG4OPBJNAA8, IV GXCR7299I9MOWS97) to obtain a PAN allowlist and logs matches to /tmp/trans.dat.
- Validates MTI (1xx/2xx), checks DE22 for magnetic swipe, and processes DE3/DE4/DE11/DE49 before tampering.
- Generates fraudulent responses by setting DE54 to a random TRY amount (12000–30000), populating DE48 with “0387T”, removing 14 specific DEs, and sending the forged message with a 5‑byte TPDU header (first TPDU byte 0x06) via send.
- Partial UPX packing observed; detection on Linux is limited but ptrace-based injection should be detectable by EDR/agents if configured.
MITRE Techniques
- [T1055] Process Injection – Uses ptrace to inject and hook into a target process’s recv function (‘The malware uses the ptrace system call to inject itself into existing processes, allowing it to intercept transaction messages.’)
- [T1203] Data Manipulation – Modifies ISO8583 messages to authorize fraudulent withdrawals by altering amounts and response fields (‘The malware modifies transaction messages to authorize fraudulent withdrawals by generating random amounts and altering response codes.’)
- [T1003] Credential Dumping – Decrypts a configuration file containing PANs to match intercepted transactions (‘The malware decrypts a configuration file containing Personal Account Numbers (PANs) to validate against intercepted messages.’)
- [T1071] Command and Control – Sends modified/fraudulent transaction messages onward to the acquirer, maintaining communication via socket send calls (‘The malware sends modified transaction messages back to the acquirer, maintaining communication with the compromised payment switch.’)
Indicators of Compromise
- [File hash] FASTCash samples – f34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c, 7f3d046b2c5d8c008164408a24cac7e820467ff0dd9764e1d6ac4e70623a1071, and 10 more hashes.
- [File name] Configuration and logs – /tmp/info.dat (AES‑128‑CBC encrypted PAN list), /tmp/trans.dat (logged PAN, amount, currency).
- [Library/filename] Payload artifacts – libMyFc.so (Linux shared library), switch.dll (Windows sample).
- [Domain] Source/report – https://doubleagent.net/fastcash-for-linux/ (original technical writeup).
The malware is delivered as an ELF shared library intended to be injected into a running switch process using ptrace. On load SoMain runs (via .init_array/constructor), initializes configuration by decrypting /tmp/info.dat using AES‑128‑CBC (key W7SLFSG4OPBJNAA8, IV GXCR7299I9MOWS97), and resolves glibc’s recv. If recv is found, the library installs a hook (via subhook) so it can intercept network reads from the process socket and maintain per‑transaction state.
The hooked recv implementation expects a 2‑byte length prefix followed by a 5‑byte TPDU; it reads the full ISO8583 PDU (offset +5 for TPDU) and unpacks it with the Oscar‑ISO8583 library. It filters messages by MTI (x100/x200), checks DE22 for magnetic swipe entry, matches DE2 (PAN) against the decrypted list, and verifies DE3/DE4/DE11/DE49 are present. Matching transactions are logged to /tmp/trans.dat for tracking.
When a target PAN is found and conditions match, the Hack routine forges a response: it flips the MTI to a response, generates a random TRY value (12000–30000), writes the fraudulent balance/amount into DE54 (formatted AA VV CCC X NNNN…), sets DE48 to “0387T”, clears or overwrites DE38/DE39 as needed, strips 14 specified data elements, assembles a header with a 2‑byte length and 5‑byte TPDU (first TPDU byte 0x06) and sends the spoofed packet via send to the acquirer. Detection controls should focus on ptrace/ process injection telemetry, validation of message MACs (DE64), and ensuring issuer/acquirer message authentication and cryptogram checks to prevent this tampering.
Read more: https://doubleagent.net/fastcash-for-linux/