FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud

Conference:  BlackHat USA 2020



The presentation discusses the AAX malware and its various versions, as well as the importance of threat intelligence in the financial industry.
  • The AAX malware has two versions, with the second version serving as a bridge to the Windows version.
  • The Windows version has a response parent function that checks for specific data before generating a fraudulent response.
  • The malware changes the currency in the response to match the victim ATM's expected currency.
  • Threat intelligence is crucial in the financial industry to build an operational and strategic picture of attacks.
  • Good collection with peer financial institutions is necessary to gather rare data on attacks.
The speaker mentions an incident in South Korea where an anti-virus management tool was used to deploy malware to ATMs, resulting in cash being automatically dispensed. This highlights the type of attack that can occur and the importance of being prepared for such incidents.


The INJX_Pure and Lazarus FASTCash malware families are each built on publicly documented standards that enable their respective operating threat actors to perform financial "cash outs" at ATMs. While each of these malware families leverages a different standard to do this, they both demonstrate that their authors and operators possess strong programming abilities *and* a knowledge of the underlying mechanics of a financial card transaction. Unfortunately, for many defenders, this knowledge is fragmented: reverse engineers often possess granular knowledge of these tools' technical characteristics but only high-level knowledge of why these tools actually work. Likewise, financial analysts are likely to possess in-depth knowledge of the "cash out" mechanics of these tools but not a granular understanding of how they operate. This presentation seeks to bridge this gap for both parties. With a focus on ISO-8583 and eXtensions for Financial Services (XFS), this talk will offer analysts an opportunity to understand the underlying, publicly documented standards that allow these malware families to operate. Attendees will learn how knowledge of these standards provides invaluable information that can be used to build a preliminary intelligence snapshot regarding the adversaries' intrusions and tooling capabilities. In addition, the presentation will explore some of the operational advantages and disadvantages inherent in choosing to use this type of malware.