Cybersecurity researchers recently described a sophisticated scheme targeting bank-owned ATMs, including physical implants and previously undocumented evasion techniques, in attempts to facilitate fraudulent ATM withdrawals.
The researchers at Group-IB, a cybersecurity company,
Although the researchers did not disclose details about the banks targeted by the ATM attacks, nor where they were located, the techniques described suggest the attacks are globally applicable, especially against banks that use Unix-based systems in their ATMs — particularly those with network switches that run on Oracle Solaris.
Physical access intrusions
Group-IB said the intrusions began with UNC2891 gaining physical access to bank networks by installing a Raspberry Pi, which is a small computer roughly the size of a stack of sticky notes, directly onto the same network switch as an ATM.
The researchers did not describe the precise location of the physical access point. It could have been a single ATM location, a regional server for multiple ATMs or a more centralized server connecting an ATM network to all its ATMs. Regardless, the placement effectively put the group deep within the bank's internal network.
The installed device included a 4G modem, which gave the threat actor remote access via mobile data. Without this modem, the threat actor would have needed to use the banks' networks, and they would have run into firewalls and monitoring systems.
Stealthy persistence and evasion
After establishing the initial foothold, UNC2891 used a backdoor based on Tinyshell, an open-source backdoor for Unix systems that allows the threat actor to provide remote shell execution and file transfer commands.
This backdoor then allowed the threat actor to create a command-and-control channel through a Dynamic DNS domain. Dynamic DNS enables a system administrator to keep a domain name (such as americanbanker.com or google.com) updated with the correct IP address, even if that IP address changes constantly.
This setup allowed the threat actor to continually access the ATM network while obscuring their activity and hiding the identity of the domain name owner. It also allowed for rapid IP changes to reduce disruptions if an IP was blocked.
Even after the Raspberry Pi was discovered and removed in one case, the attacker maintained internal access through a back door on a compromised mail server, according to Group-IB.
Investigators faced significant challenges detecting the threat actor's activities due to advanced anti-forensics techniques. UNC2891 masqueraded backdoor processes, naming files to appear legitimate and executing them with command-line arguments that mimicked legitimate system processes.
More critically, the attackers leveraged Linux bind mounts to hide backdoor processes from conventional detection tools. In other words, the attackers effectively created shortcuts — the same as a shortcut on your desktop might lead to a specific folder you use often — from legitimate system directories to malicious ones.
This technique had not been documented in public threat reports at the time. Group-IB discovered this novel tactic during its investigation of the ATM network intrusions.
The bind mount technique is now documented in the MITRE ATT&CK framework, a library of threat actor tactics and techniques, as
CAKETAP: The rootkit aiming for ATM fraud
The ultimate objective of UNC2891's campaign was to deploy Caketap, a kernel module rootkit targeting Oracle Solaris, on the ATM network switching server. A kernel module rootkit is malware that gains control over the entire system, and Solaris is a proprietary Unix operating system created by computer systems maker Oracle.
Group-IB's investigation found the group intended to deploy Caketap to manipulate communications with the bank's network, enabling the group to spoof authorization messages and facilitate fraudulent ATM cash withdrawals.
The investigators said the threat actor's campaign got disrupted before they could achieve this specific objective.
UNC2891 has engaged in this type of attack before, specifically using Caketap against ATM systems,
"Caketap was leveraged by UNC2891 as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks," Mandiant said at the time
This variant of Caketap performed several functions, including altering outgoing messages to disable card verification and replaying PIN verification messages for fraudulent cards, effectively bypassing PIN verification.
Caketap is also designed to hide network connections, processes and files, making it difficult to detect.
UNC2891: A financially motivated and highly evasive threat actor
Mandiant described UNC2891 as a "financially motivated" threat actor that has conducted intrusions spanning "several years" while remaining "largely undetected."
The group demonstrates fluency and expertise in Unix and Linux environments, primarily targeting Oracle Solaris-based systems. They operate with a high degree of operational security, leveraging both public and private malware and utilities to remove evidence and hinder response efforts.
Beyond Caketap and Tinyshell, UNC2891 employs other tools such as:
- Slapstick: A back door of a Linux-based authentication system, used to harvest credentials and maintain persistent access.
- Steelhound and Steelcorgi: Trojan horses that solely live in a computer's memory (rather than in files on the computer's disk) and decrypt embedded payloads using environment variables. They perform multiple functions, including deploying hacker tool kits used for reconnaissance, discovering network connections and wiping logs.
- Winghook and Wingcrack: A family of keylogger malware for Linux and Unix-based operating systems.
Recommendations for banks and credit unions
To detect and prevent similar attacks, Group-IB provides recommendations for financial institutions:
- Physically secure switch ports and ATM-connected infrastructure. This means ensuring that hackers cannot access the physical systems that provide network connectivity to ATMs.
- Monitor mount and umount syscalls, which are the commands UNC2891 used in the novel technique used to hide backdoor processes. This can be done with tools such as auditd or eBPF, which help track security-relevant events and potential threats. Specifically, create alerts if any directory /proc/[pid] is mounted to tmpfs or external filesystems. These alerts will catch any attempts to inject software into the system from questionable sources.
- Block or create an alert when a binary executes from /tmp or .snapd paths. These are paths where the threat actor placed their malware. They are unusual locations from which to execute programs. Like described in the previous point, these alerts will catch any attempts to inject software into the system from questionable sources.
- Capture memory images in addition to disk images during incident response to uncover hidden processes and anti-forensics techniques. In other words, don't just make copies of a point in time of the files stored on the disk; also make copies of a point in time of what is in the computer's temporary memory. This allows investigators to locate malware that solely lives in memory rather than on disk storage.
The ability of threat actors to bypass traditional defenses with low-profile physical initial access also underscores the broader need for comprehensive security strategies that integrate physical, network and endpoint protection with advanced forensic capabilities — especially to protect ATM networks.
