A financially motivated menace group often called UNC2891 orchestrated a classy assault on banking infrastructure by bodily putting in a 4G-equipped Raspberry Pi gadget immediately into an ATM community, safety researchers from Group-IB revealed this week.
The marketing campaign represents a uncommon occasion of cybercriminals combining bodily entry with superior anti-forensics methods to focus on essential monetary methods.
The assault, which was in the end thwarted earlier than completion, demonstrated how menace actors are evolving past conventional digital infiltration strategies to use bodily vulnerabilities in banking networks.
Key Takeaways1. Hackers used a Raspberry Pi with 4G to breach ATM networks, bypassing defenses.2. They hid malware utilizing a complicated Linux technique and disguised it as reliable processes.3. Commonplace forensic instruments failed; solely deep reminiscence and community evaluation uncovered the assault.4. Banks should safeguard each bodily and digital belongings and make use of superior forensic methods.
Investigators found the Raspberry Pi linked on to the identical community change as an ATM, successfully inserting the gadget inside the financial institution’s inner community perimeter.
Bodily Backdoor Establishes Persistent Entry
The attackers outfitted the Raspberry Pi with a 4G modem, enabling distant command-and-control operations by cellular knowledge connections that fully bypassed conventional perimeter firewalls and community defenses.
Utilizing a customized backdoor referred to as TINYSHELL, the gadget established outbound communication channels by way of Dynamic DNS domains, offering steady exterior entry to the compromised community.
“This gadget was linked on to the identical community change because the ATM, successfully inserting it contained in the financial institution’s inner community,” Group-IB researchers famous of their evaluation. The setup enabled the attackers to take care of persistent entry whereas avoiding detection by typical community monitoring methods.
Maybe most importantly, the investigation revealed UNC2891’s use of a beforehand undocumented anti-forensics method involving Linux bind mounts to cover malicious processes from detection instruments.
This technique has since been formally acknowledged by MITRE and cataloged within the ATT&CK framework as method T1564.013 (Disguise Artifacts: Bind Mounts).
The attackers deployed backdoors masquerading as reliable system processes named “lightdm,” mimicking the usual LightDM show supervisor discovered on Linux methods.
Nonetheless, these malicious binaries have been situated in uncommon directories together with /tmp/lightdm and /var/snap/.snapd/lightdm, with command-line arguments designed to look reliable.
Commonplace forensic triage instruments did not detect these processes as a result of the menace actors used bind mounts to overlay malicious course of directories with benign ones, successfully rendering the backdoors invisible to standard evaluation strategies.
The last word goal of UNC2891’s marketing campaign was to deploy CAKETAP, a classy rootkit designed to govern {Hardware} Safety Module (HSM) responses and facilitate fraudulent ATM money withdrawals.
The malware was engineered to intercept card and PIN verification messages, enabling unauthorized transactions whereas sustaining the looks of regular operations.
The assault highlighted essential gaps in conventional forensic approaches. Preliminary triage did not reveal the backdoors as a result of they have been hidden throughout system idle states, requiring reminiscence forensics and steady community monitoring to uncover the malicious exercise.
Safety consultants now advocate implementing a number of defensive measures: monitoring mount and umount system calls by way of instruments like auditd or eBPF, alerting on uncommon /proc/[pid] mounts, blocking executions from non permanent directories, securing bodily community infrastructure, and incorporating reminiscence evaluation in incident response procedures.
Combine ANY.RUN TI Lookup along with your SIEM or SOAR To Analyses Superior Threats -> Attempt 50 Free Trial Searches
