2020-10-24 FASTCash 2.0 North Korea's BeagleBoyz Robbing Banks| Threat Intelligence Malaysia

📃Title: FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks
📅Date: 2020-10-24
🔗References:

Description

This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: TA-profile
target: targeted
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Argentina”
target-information=“Brazil”
target-information=“Bangladesh”
target-information=“Bosnia and Herzegovina”
target-information=“Bulgaria”
target-information=“Chile”
target-information=“Costa Rica”
target-information=“Ecuador”
target-information=“Ghana”
target-information=“India”
target-information=“Indonesia”
target-information=“Japan”
target-information=“Jordan”
target-information=“Kenya”
target-information=“Kuwait”
target-information=“Malaysia”
target-information=“Malta”
target-information=“Mexico”
target-information=“Mozambique”
target-information=“Nepal”
target-information=“Nicaragua”
target-information=“Nigeria”
target-information=“Pakistan”
target-information=“Panama”
target-information=“Peru”
target-information=“Philippines”
target-information=“Singapore”
target-information=“South Africa”
target-information=“South Korea”
target-information=“Spain”
target-information=“Taiwan”
target-information=“Togo”
target-information=“Turkey”
target-information=“Uganda”
target-information=“Uruguay”
target-information=“Vietnam”
target-information=“Zambia”
producer= CISA
malpedia=“CHEESETRAY”
malpedia=“ELECTRICFISH”
malpedia=“FastCash”
malpedia=“HOPLIGHT”
malpedia=“NACHOCHEESE”
malpedia=“PSLogger”
threat-actor= Lazarus-Group
mitre-attack-pattern=[‘T1001’, ‘T1005’, ‘T1010’, ‘T1012’, ‘T1014’, ‘T1016’, ‘T1020’, ‘T1021’, ‘T1027’, ‘T1033’, ‘T1036’, ‘T1041’, ‘T1049’, ‘T1053’, ‘T1055’, ‘T1056’, ‘T1057’, ‘T1059’, ‘T1070’, ‘T1071’, ‘T1078’, ‘T1082’, ‘T1083’, ‘T1087’, ‘T1090’, ‘T1095’, ‘T1098’, ‘T1102’, ‘T1105’, ‘T1106’, ‘T1110’, ‘T1113’, ‘T1115’, ‘T1119’, ‘T1129’, ‘T1132’, ‘T1133’, ‘T1140’, ‘T1189’, ‘T1190’, ‘T1199’, ‘T1202’, ‘T1203’, ‘T1204’, ‘T1217’, ‘T1218’, ‘T1219’, ‘T1485’, ‘T1486’, ‘T1489’, ‘T1505’, ‘T1518’, ‘T1543’, ‘T1547’, ‘T1548’, ‘T1552’, ‘T1553’, ‘T1561’, ‘T1562’, ‘T1565’, ‘T1566’, ‘T1569’, ‘T1573’, ‘T1574’]

MISP event uuid: e82626b8-e22b-43af-bb55-69b06800cc4a

Indicator of Compromise (IoCs)

type,value,comment
md5, d45931632ed9e11476325189ccb6b530, 'ECCENTRICBANDWAGON- HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan'
md5, acd15f4393e96fe5eb920727dc083aed, 'ECCENTRICBANDWAGON- HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan'
md5, 34404a3fb9804977c6ab86cb991fb130, 'ECCENTRICBANDWAGON- HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan'
md5, 3122b0130f5135b6f76fca99609d5cbe, 'ECCENTRICBANDWAGON- HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan'
md5, 8d9123cd2648020292b5c35edc9ae22e, 'ELECTRICFISH'
md5, 0ba6bb2ad05d86207b5303657e3f6874, 'ELECTRICFISH'
md5, 89081f2e14e9266de8c042629b764926, 'FASTCASH for Windows'
md5, a2b1a45a242cee03fab0bedb2e460587, 'FASTCASH for Windows'
md5, c4141ee8e9594511f528862519480d36, 'FASTCASH for Windows'
md5, 23e27e5482e3f55bf828dab885569033, 'HOPLIGHT'
md5, 34e56056e5741f33d823859e77235ed9, 'HOPLIGHT'
md5, 170a55f7c0448f1741e60b01dcec9cfb, 'HOPLIGHT'
md5, 868036e102df4ce414b0e6700825b319, 'HOPLIGHT'
md5, 07d2b057d2385a4cdf413e8d342305df, 'HOPLIGHT'
md5, 5c3898ac7670da30cf0b22075f3e8ed6, 'HOPLIGHT'
md5, 38fc56965dccd18f39f8a945f6ebc439, 'HOPLIGHT'
md5, 42682d4a78fe5c2eda988185a344637d, 'HOPLIGHT'
md5, c5dc53a540abe95e02008a04a0d56d6c, 'HOPLIGHT'
md5, 61e3571b8d9b2e9ccfadc3dde10fb6e1, 'HOPLIGHT'
md5, 3edce4d49a2f31b8ba9bad0b8ef54963, 'HOPLIGHT'
md5, 3021b9ef74c7bddf59656a035f94fd08, 'HOPLIGHT'
md5, 5c0c1b4c3b1cfd455ac05ace994aed4b, 'HOPLIGHT'
md5, 2ff1688fe866ec2871169197f9d46936, 'HOPLIGHT'
md5, 2a791769aa73ac757f210f8546125b57, 'HOPLIGHT'
md5, e4ed26d5e2a84cc5e48d285e4ea898c0, 'HOPLIGHT'
md5, f8d26f2b8dd2ac4889597e1f2fd1f248, 'HOPLIGHT'
md5, be588cd29b9dc6f8cfc4d0aa5e5c79aa, 'HOPLIGHT'
md5, d2da675a8adfef9d0c146154084fff62, 'HOPLIGHT'
md5, f315be41d9765d69ad60f0b4d29e4300, 'HOPLIGHT'
md5, 4e595db3b612e1e9da90a0ef7d740792, 'HOPLIGHT'
md5, dc268b166fe4c1d1c8595dccf857c476, 'HOPLIGHT'
md5, ae829f55db0198a0a36b227addcdeeff, 'HOPLIGHT'
md5, 894b81b907c23f927a3f38cfd30f32da, 'HOPLIGHT'
md5, c4103f122d27677c9db144cae1394a66, 'HOPLIGHT'
md5, 3dbd47cc12c2b7406726154e2e95a403, 'HOPLIGHT'
md5, 0893e206274cb98189d51a284c2a8c83, 'HOPLIGHT'
md5, 3c9e71400b72cc0213c9c3e4ab4df9df, 'VIVACIOUSGIFT'
md5, 889e320cf66520485e1a0475107d7419, 'VIVACIOUSGIFT'
md5, 97aaf130cfa251e5207ea74b2558293d, 'VIVACIOUSGIFT'
md5, 40e698f961eb796728a57ddf81f52b9a, 'VIVACIOUSGIFT'
md5, dfd09e91b7f86a984f8687ed6033af9d, 'VIVACIOUSGIFT'
md5, bda82f0d9e2cb7996d2eefdd1e5b41c4, 'VIVACIOUSGIFT'
md5, f2b9d1cb2c4b1cd11a8682755bcc52fa, 'CROWDEDFLOUNDER'
ip-dst, 112.175.92.57, 'HOPLIGHT C2'
ip-dst, 113.114.117.122, 'HOPLIGHT C2'
ip-dst, 117.239.241.2, 'HOPLIGHT C2'
ip-dst, 119.18.230.253, 'HOPLIGHT C2'
ip-dst, 128.200.115.228, 'HOPLIGHT C2'
ip-dst, 137.139.135.151, 'HOPLIGHT C2'
ip-dst, 14.140.116.172, 'HOPLIGHT C2'
ip-dst, 181.39.135.126, 'HOPLIGHT C2'
ip-dst, 186.169.2.237, 'HOPLIGHT C2'
ip-dst, 195.158.234.60, 'HOPLIGHT C2'
ip-dst, 197.211.212.59, 'HOPLIGHT C2'
ip-dst, 21.252.107.198, 'HOPLIGHT C2'
ip-dst, 210.137.6.37, 'HOPLIGHT C2'
ip-dst, 217.117.4.110, 'HOPLIGHT C2'
ip-dst, 218.255.24.226, 'HOPLIGHT C2'
ip-dst, 221.138.17.152, 'HOPLIGHT C2'
ip-dst, 26.165.218.44, 'HOPLIGHT C2'
ip-dst, 47.206.4.145, 'HOPLIGHT C2'
ip-dst, 70.224.36.194, 'HOPLIGHT C2'
ip-dst, 81.94.192.10, 'HOPLIGHT C2'
ip-dst, 81.94.192.147, 'HOPLIGHT C2'
ip-dst, 84.49.242.125, 'HOPLIGHT C2'
ip-dst, 97.90.44.200, 'HOPLIGHT C2'

Full IOCs available in Rectifyq’s MISP

Rectifyq

Explorer

2020-10-24 FASTCash 2.0 North Korea's BeagleBoyz Robbing Banks

Indicator of Compromise (IoCs)

🔴 Latest Relevant 🇲🇾 Threat Articles

2026-04-30 Inside Shadow-Earth-053 A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

2026-04-29 Phoenix Rising Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

2026-04-21 GhostCargo, a 5-years campaign

Graph View