How FASTCash Exploits Payment Systems for Unauthorized Withdrawals
The Linux variant infects financial institutions’ payment switch servers, which facilitate transactions between ATMs, PoS terminals, and central bank systems. The malware manipulates ISO8583 messages, which are used to process debit and credit card transactions, replacing “declined” responses for insufficient funds with “approved,” thereby enabling fraudulent withdrawals.
FASTCash operational overview
Source: doubleagent.net
Evasion and Detection Challenges
The new Linux variant, first submitted to VirusTotal in June 2023, had zero detections, highlighting its ability to evade traditional security tools. This allowed attackers to bypass financial safeguards and execute cashouts undetected, leveraging mules to withdraw large sums from ATMs. The Windows variant was updated in September 2024, showing the hackers’ ongoing efforts to evolve their malware.