Days Ago FastCash existed: Reversing FastCash
FastCash is a banking trojan, triage of it leads to cryptocurrency fraud claimed by fraudster Unit180 allegedly cyber criminal group from DPRK.
Static and Dynamic Analysis
Most basic function when you do Windows reverse engineering , its called WinMain(). In the FastCash WinMain(), these are the few function we will see today:-
modify_previleges(), scramble_up_data(), callr_of_callr_of_unpack_payld_thd_ops_decrypt_smthg_callr(), rtrn_FILE_processor_INTEL_dir(), snapshot_and_error_creator().
Firstly, privileges of system in which the infection happens the privileges of that system are being modified then after the some pszPATH is set to 0. Then soon after that the data on that system id being scrambled up using the function “scramble_up_data”. After the conditional check of “if” stmt PathFileExistA is satisfies pszPATH then till that the “DLL not found “ is printed and then the “callr_of_callr_unpack_payld_thd_ops_decrypt_smnthg_callr” will be passed to v8. Then the v8 is passed in if stmt and after the not equal comparison with “dword_40EEE8” if that satisfies then the “rtrn_file_processor_INTEL_dir” function get executed which is the first conditional check otherwise the other “if” conditional check will be executed which if satisfies executes the “snapshot_and_error_creator” function. Lastly the null value is returned.
In this particular function, what happen in this function is that firstly the declaration of variables “result”,Handle with name “v0”, ”TokenHandle” along with the structure “Luid” and “NewState”. Then after the “v0” handle is seen storing “GetCurrentProcess()” function. Then the “if” conditional check is being done in which the till when the condition is not equal to access token accessed by the “OpenProcessToken” and null val is returned. Another “if” conditional check is being proceeded in which the stmt in the parenthesis only run till when the val goes to equal val of “ local unique identifier” (LUID) is being satisfied and as the conditional being satisfied CloseHandle() is being run to close the handle and to return null. Then after that, the using the NewState for accessing the Privileges & PrivilegesCount the values are being assigned & then the AdjustTokenPrivileges() is being used for disabling all the previleges and close the handle using CloseHandle() function and also assign to result and if that’s not done the result is assigned as zero and lastly the result is being returned.
In this function, mostly what happens is that, scrambling of data in the system is being done for which in this particular function many control flow and conditional stmts are being used.
This function is being used for the unpacking of payload & for carrying out thread operations and lastly it decrypt something.
Here in this function the process injection is happening and also the payload is being written in the memory as a process.
In this function, mainly what happens is that snapshot of the different process is being taken for which process modules and handles are also being fetched also the LastError are also being fetched using “GetLastError” function.
Setting up the breakpoints in IDA at all reversed functions mentioned in static analysis.
As the execution of FastCash happens during debugging , it hits the first breakpoint at the function “modify_privileges” which is the first function in the WinMain() function.
In going through the debugging while tracing the modify_privileges() function the debugger goes to the offset “aParameterInput” in place of “modify_privileges” function & as debugger being executing the instructions without holding accountable to entering function this leads us to conclusion that this peace of malicious malware is being employed to use some Anti-Debugging techniques as the debugger doesn’t goes to the breakpoints which we have set.
From the WinMain() function the debugger jumps to the function “_tmainCRTStartup()” function which is mainly what does is that it fetched the Startup information of the system which is mainly being done for the maintaining persistence across the system for persistence triage.
Indicators of Compromise(IOCs) and Detections
Network [ C2 Communications]
40[.]90[.]23[.]247 & 2[.]57[.]89[.]199
T1106, T1129, T1204, T1500, T1130, T1112, T1057, T1012.
Att&ck Mitre Techniques
Sample from Report
ORDARA LTD, Symantec Class 3 Extended Validation Code Signing CA — G2, VeriSign.
DigiCert Timestamp Responder, DigiCert Assured ID CA-1, DigiCert.
VeriSign Class 3 Public Primary Certification Authority — G5, Symantec Class 3 Extended Validation Code Signing CA — G2, ORDARA LTD, DigiCert Timestamp Responder, DigiCert Assured ID CA-1.
Mapping Network Traffic via Wire:
North Korean Malicious Cyber Activity: FASTCash
The Cybersecurity Security and Infrastructure Security Agency (CISA), the Department of the Treasury, the Federal…
FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks | CISA
North Korea's intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access…
FASTCash: How the Lazarus Group is Emptying Millions from ATMs
In order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious Advanced Interactive…
US government publishes details on North Korea's HOPLIGHT malware | ZDNet
The US government has put out a security alert today about a new malware strain used by North Korean hackers, which the…