FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 1:30 p.m. (40 minutes).

The INJX_Pure and Lazarus FASTCash malware families are each built on publicly documented standards that enable their respective operating threat actors to perform financial "cash outs" at ATMs. While each of these malware families leverages a different standard to do this, they both demonstrate that their authors and operators possess strong programming abilities *and* a knowledge of the underlying mechanics of a financial card transaction. <br /> <br /> Unfortunately, for many defenders, this knowledge is fragmented: reverse engineers often possess granular knowledge of these tools' technical characteristics but only high-level knowledge of why these tools actually work. Likewise, financial analysts are likely to possess in-depth knowledge of the "cash out" mechanics of these tools but not a granular understanding of how they operate. <br /> <br /> This presentation seeks to bridge this gap for both parties. With a focus on ISO-8583 and eXtensions for Financial Services (XFS), this talk will offer analysts an opportunity to understand the underlying, publicly documented standards that allow these malware families to operate. Attendees will learn how knowledge of these standards provides invaluable information that can be used to build a preliminary intelligence snapshot regarding the adversaries' intrusions and tooling capabilities. In addition, the presentation will explore some of the operational advantages and disadvantages inherent in choosing to use this type of malware.

Presenters:

  • Kevin Perlow - Technical Intelligence Team Lead, &nbsp;
    <p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Kevin Perlow is the technical threat intelligence team lead at a private sector company in the financial industry. Prior to his current role, Kevin performed reverse engineering, threat hunting, and digital forensics services at a consulting company in support of commercial and government clients. Kevin's research over the past two years has focused on financial cybercrime, most notably including the Lazarus cash-out subgroup.</span></p>

Links:

Similar Presentations: