In a joint alert, which includes agencies like the FBI, DHS, and Treasury, US-CERT says they have identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme.

Dubbed Hidden Cobra, the group behind the scheme uses malicious Windows executable applications, command-line utility applications, and other files to perform transactions and interact with financial systems, including the switch application server.

The US-CERT report states that the Hidden Cobra group likely used Windows-based malware to explore a bank’s network to identify the payment switch application server. According to a report in Hacker News, a switch applications server is "...an essential component of ATMs and Point-of-Sale infrastructures that communicates with the core banking system to validate user's bank account details for a requested transaction."

When a customer uses a card in an ATM or PoS machine, the system asks the bank’s switch application server to validate the transaction. Hidden Cobra compromises the switch application servers and validates the payment with a fake but legitimate-looking affirmative response. The ATM releases the money the user asked for.

US-CERT recommends banks make two-factor authentication mandatory before any user can access the switch application server and use best practices to protect their networks.