Last Updated on 21/03/2022 by Nidhi Khandelwal
A financially motivated threat actor has been seen deploying a previously unknown rootkit targeting Oracle Solaris systems with the purpose of compromising ATM switching networks and making illicit cash withdrawals using counterfeit cards at various banks.
Mandiant, a threat intelligence and incident response organization, is tracking the cluster as UNC2891, with some of its tactics, techniques, and processes overlapping with those of another cluster known as UNC1945.
In a new analysis published this week, Mandiant analysts said that the actor’s intrusions entail “a high degree of OPSEC and utilize both public and private malware, tools, and scripts to delete evidence and delay response efforts.”
Even more worrying, the attacks in some cases lasted several years, during which time the actor stayed undiscovered thanks to a rootkit called CAKETAP, which is meant to hide network connections, processes, and files.
One variant of the kernel rootkit came with specialized features that enabled it to intercept card and PIN verification messages and use the stolen data to perform fraudulent cash withdrawals from ATM terminals, according to Mandiant, which was able to recover memory forensic data from one of the victimized ATM switch servers.
SLAPSTICK and TINYSHELL are two backdoors credited to UNC1945 that are used to achieve persistent remote access to mission-critical systems as well as shell execution and file transfers via rlogin, telnet, or SSH.
“Because of the group’s familiarity with Unix and Linux-based systems, UNC2891 frequently named and configured their TINYSHELL backdoors with values that masqueraded as legitimate services that investigators might overlook, such as systemd (SYSTEMD), name service cache daemon (NCSD), and the Linux at daemon (ATD),” the researchers noted.