The financially motivated threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack.
The cyber-physical attack involved the adversary leveraging their physical access to install the Raspberry Pi device and have it connected directly to the same network switch as the ATM, effectively placing it within the target bank’s network, Group-IB said. It’s currently not known how this access was obtained.
“The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data,” security researcher Nam Le Phuong said in a Wednesday report.
“Using the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain. This setup enabled continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses.”
UNC2891 was first documented by Google-owned Mandiant in March 2022, linking the group to attacks targeting ATM switching networks to carry out unauthorized cash withdrawals at different banks using fraudulent cards.
Central to the operation was a kernel module rootkit dubbed CAKETAP that’s designed to hide network connections, processes, and files, as well as intercept and spoof card and PIN verification messages from hardware security modules (HSMs) to enable financial fraud.
The hacking crew is assessed to share tactical overlaps with another threat actor UNC1945 (aka LightBasin), which was previously identified compromising managed service providers and striking targets within the financial and professional consulting industries.
Describing the threat actor as possessing extensive knowledge of Linux and Unix-based systems, Group-IB said its analysis uncovered backdoors named “lightdm” on the victim’s network monitoring server that are designed to establish active connections to the Raspberry Pi and the internal Mail Server.
The attack is significant for the abuse of bind mounts to hide the presence of the backdoor from process listings and evade detection.
The end goal of the infection, as seen in the past, is to deploy the CAKETAP rootkit on the ATM switching server and facilitate fraudulent ATM cash withdrawals. However, the Singaporean company said the campaign was disrupted before the threat actor could inflict any serious damage.
“Even after the Raspberry Pi was discovered and removed, the attacker maintained internal access through a backdoor on the mail server,” Group-IB said. “The threat actor leveraged a Dynamic DNS domain for command-and-control.”
