Symantec researchers have uncovered several crucial details behind how the cybergang Lazarus, (AKA Hidden Cobra) has successfully conducted dozens of ATM hacks resulting in the machines literally spewing money out on the group’s command.

The FBI and DHS have issued warnings on FASTCash.

What was already known is that the bank robbers inject a malicious Advanced Interactive eXecutive (AIX) executable into a running, legitimate process on the switch application server of an ATM network. These servers are vulnerable and targeted because they are running outdated or unpatched versions of the AIX operating system. The malware is able to create a fraudulent ISO 8583 message, these are the standard for financial transaction messaging.

What is now being made public is the fact that the malicious executable is actually malware, named Trojan.Fastcash. The malware has two primary missions:

It monitors incoming messages and intercepts attacker-generated fraudulent transaction requests to prevent them from reaching the switch application that processes transactions.

It contains logic that generates one of three fraudulent responses to fraudulent transaction requests.

The FBI and DHS first issued warnings about Lazarus pulling off ATM attacks, dubbed FASTCash, in early October.

Trojan.Fastcash reads all incoming network traffic looking for ISO 8583 messages and the primary account number.

“If it finds any containing a PAN number used by the attackers where the Message Type Indicator (MTI) is “0x100 Authorization Request from Acquirer”, it will block the message from going any further. It will then transmit a fake response message approving fraudulent withdrawal requests. The result is that attempts to withdraw money via an ATM by the Lazarus attackers will be approved,” report stated.

Jon DiMaggio, a senior threat intelligence analyst at Symantec, explained this means Lazarus is using a legitimate bank account, usually one with a zero balance. Since the malware intercepts the transaction request for funds, there is no need for the account to have any money at the time of exposure, he said.

DiMaggio added there is a likely possibility, although unconfirmed, that Lazarus is using its access to the bank’s network create these empty accounts and then use these fraudulent bank account numbers to complete the theft. These newly created accounts and their associated account number are then passed along to the malware so it is ready to act when a withdrawal request comes through.

While quite a bit is known about how the attacks take place, there are still some points in the attack that need to be fleshed out.

“We have a bit of a blind spot on how the attacker is obtaining the legitimate PANs. However, we believe the attacker is likely using spear phishing emails to obtain initial access to the financial institutions. We also believe the attacker took the time to learn the victim’s environment to understand how the financial systems work,” he said.

Several versions of Trojan.Fastcash have been spotted each of which uses a different response logic. This could be to tune the malware to be effective against specific banks.