HomeUpdateHackers' new target of stealing money from ATM machines

Hackers’ new target of stealing money from ATM machines


We independently research, test, review, and recommend the best products—learn more about our process. If you buy something through our links, we may earn a commission. learn more

Last Updated on 21/03/2022 by Nidhi Khandelwal

A financially motivated threat actor has been seen deploying a previously unknown rootkit targeting Oracle Solaris systems with the purpose of compromising ATM switching networks and making illicit cash withdrawals using counterfeit cards at various banks.

Hackers' new target of stealing money from ATM machines 1

Mandiant, a threat intelligence and incident response organization, is tracking the cluster as UNC2891, with some of its tactics, techniques, and processes overlapping with those of another cluster known as UNC1945.

In a new analysis published this week, Mandiant analysts said that the actor’s intrusions entail “a high degree of OPSEC and utilize both public and private malware, tools, and scripts to delete evidence and delay response efforts.”

Even more worrying, the attacks in some cases lasted several years, during which time the actor stayed undiscovered thanks to a rootkit called CAKETAP, which is meant to hide network connections, processes, and files.

One variant of the kernel rootkit came with specialized features that enabled it to intercept card and PIN verification messages and use the stolen data to perform fraudulent cash withdrawals from ATM terminals, according to Mandiant, which was able to recover memory forensic data from one of the victimized ATM switch servers.

Hackers' new target of stealing money from ATM machines 2

SLAPSTICK and TINYSHELL are two backdoors credited to UNC1945 that are used to achieve persistent remote access to mission-critical systems as well as shell execution and file transfers via rlogin, telnet, or SSH.

“Because of the group’s familiarity with Unix and Linux-based systems, UNC2891 frequently named and configured their TINYSHELL backdoors with values that masqueraded as legitimate services that investigators might overlook, such as systemd (SYSTEMD), name service cache daemon (NCSD), and the Linux at daemon (ATD),” the researchers noted.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

Data Science Drives Personalized Marketing and Customer Engagement to New Heights...

Personalized marketing and customer engagement are crucial for businesses to thrive in the current digital era. Because data science makes it possible for marketers...