Hackers deploy concealed Raspberry Pi and tailor-made malware to target bank ATMs

Hackers used a Raspberry Pi and malware in a thwarted bank ATM heist by UNC2891.

: Hackers identified as UNC2891 attempted a sophisticated bank ATM heist involving a concealed Raspberry Pi. The device was equipped with a 4G modem to communicate with external attackers despite the bank's firewalls being active. They intended to manipulate ATM operations using a custom rootkit called CAKETAP but were stopped in time by Group-IB. Security recommendations include monitoring system calls and securing physical equipment.

Hackers recently attempted a sophisticated breach of a bank’s ATM network by physically installing a hidden Raspberry Pi device equipped with a 4G modem. The small computer was stealthily connected to the same network switch as the ATM machines, effectively placing it inside the bank’s internal network. This setup allowed attackers to remotely access the network via cellular connection, bypassing perimeter security controls and firewalls.

Once inside, the Raspberry Pi ran a custom malware tool known as TINYSHELL, which used dynamic DNS to connect back to the attackers' command and control server. This allowed the hackers to maintain persistence and communication without relying on the bank’s monitored infrastructure. The malware was carefully configured to avoid detection and appeared to be developed specifically for targeting ATM switching environments.

To conceal their presence, the attackers used advanced anti-forensics techniques, including abusing Linux bind mounts to overwrite system process directories and spoof process metadata. This allowed them to hide malicious processes from administrators and system monitoring tools, reducing the likelihood of detection. This technique has been classified under MITRE ATT&CK as T1564.013.

The ultimate objective was to deploy a rootkit named CAKETAP on the ATM switch server. CAKETAP is designed to intercept messages to and from hardware security modules, enabling attackers to approve unauthorized cash transactions. However, the attack was detected and halted before this stage was completed, and no financial damage was reported.

The operation was attributed to UNC2891, a financially motivated threat actor also known as LightBasin. This group has a history of complex attacks targeting telecom and banking sectors, often using tailor-made tools. Their tactics demonstrate a high level of sophistication and a deep understanding of financial infrastructure vulnerabilities.

Sources: The Hacker News, Group-IB, BleepingComputer, Ars Technica, CyberPress

CybersecuritySecurityHacking