Financially motivated threat actor known as UNC2891 As part of the secret attack, it has been observed that it is using 4G equipped Raspberry PIs to target automatic teller machine (ATM) infrastructure.
Cyberphysical attacks involved exploiting physical access to install Raspberry PI devices, connecting directly to the same network switch as the ATM, and effectively placing them within the target bank’s network. Currently, I don’t know how this access was obtained.
“The Raspberry Pi is equipped with a 4G modem, allowing remote access to mobile data,” security researcher Nam Le Phuong said in a report Wednesday.
“Using Tinyshell backdoors, the attacker established an outbound command and control (C2) channel through a dynamic DNS domain. This setup allowed continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses.”
UNC2891 was first documented in March 2022 by Google-owned Mandiant, linking Groups to attacks targeting ATM switching networks, using fraudulent cards to perform fraudulent cash withdrawals at different banks.
At the heart of the operation was called the rootkit of kernel modules, designed to hide network connections, processes, files, and intercept and spoof validation messages from the Hardware Security Module (HSM).
The hacking crew was evaluated to share the tactical overlap with another threat actor UNC1945 (aka Lightbasin).
Describing threat actors as having extensive knowledge of Linux and UNIX-based systems, Group-IB said it analyzed a backdoor named “LightDM” on victims’ network monitoring servers designed to establish active connections to Raspberry PI and internal mail servers.
This attack is important for binding mount abuse to hide the presence of backdoors from the process list and avoid detection.
As seen in the past, the ultimate goal of infection is to deploy Caketap rootkit on ATM switching servers to promote unauthorized ATM cash withdrawals. However, the Singaporean company said the campaign was confused before threat actors caused serious damage.
“Even after the Raspberry Pi was discovered and deleted, the attacker maintained internal access through the backdoor on the mail server,” Group-IB said. “Threat actors leveraged the dynamic DNS domain of command and control.”
