An attempted cyber bank heist was discovered that leveraged physical access to an ATM and a previously undocumented anti-forensic technique to gain stealthy network access,
Group-IB reported Wednesday.
The attack was conducted by UNC2891, a financially motivated group that has been active since at least November 2017 and primarily targets banking infrastructure.
Initial access was gained by physically implanting a Raspberry Pi device with a 4G modem into an ATM. UNC2891 then used a
TINYSHELL backdoor to create a command-and-control (C2) channel via a dynamic DNS domain.
The physical backdoor setup enabled the attackers to bypass traditional network defenses such as firewalls. Additionally, because the attacker’s device connected to the same network switch as the ATM, UNC2891 positioned itself within the bank’s internal network and was able to further establish a backdoor in the bank’s mail server.
Network forensics managed to uncover suspicious outbound beaconing and connection attempts, however, no matching process IDs (PIDs) were uncovered during triage.
Group-IB’s investigators captured a memory dump to gain more information and managed to discover the backdoor process, which was named “lightdm” in an attempt to masquerade as the legitimate LightDM display manger, but was found at an unusual location, revealing its malicious nature.
The team further discovered that UNC2891 had managed to hide the PIDs for its backdoor processes using a previously undocumented technique using Linux bind mounts to hide process artifacts. This technique has since been added to
the MITRE ATT&CK framework as T1564.013 – Hide Artifacts: Bind Mounts, Group-IB reported.
This anti-forensics technique can be achieved by mounting and binding an empty folder or file to the same directory location as a process’s entry in the /proc filesystem of Unix-like operating systems,
Group-IB explained in a previous blog post.
Group-IB’s investigation determined UNC2891’s objective was to deploy the CAKETAP rootkit in order to manipulate hardware security module (HSM) responses and spoof authorization methods to enable fraudulent cash withdrawals. However, the attack was disrupted before any fraudulent withdrawals were made.
The attack demonstrated the unique threats posed by physical access vectors as well as the limitations of forensics tools when faced with techniques like malicious bind-mounting.
Organizations are recommended to monitor “mount” and “umount” system calls, be alerted when /proc/[pid] is mounted to temporary file storage (tmpfs) or external filesystems, and block or alert binaries that are executed from /tmp or .snapd paths, Group-IB concluded.
Financial institutions should also ensure switch ports and other ATM-connected infrastructure are physically secured from tampering, and investigators should capture memory images in addition to disk images during incident response to uncover any potential hidden processes.
