The financially motivated threat actor group UNC2891 initiated a sophisticated attack by physically connecting a Raspberry Pi directly to an internal network switch. This embedded device, equipped with a 4G modem, acted as a covert hardware backdoor, allowing the attackers to bypass perimeter firewalls completely. It established a persistent, outbound command-and-control (C2) channel using the TINYSHELL backdoor over a mobile data network, effectively giving the attackers remote access to the core banking infrastructure without triggering conventional security alerts. This physical intrusion vector remained undetected during initial security checks, highlighting a significant blind spot in traditional monitoring strategies.
To remain hidden, UNC2891 employed advanced anti-forensics techniques. Forensic analysis uncovered beaconing activity from the Raspberry Pi to a C2 server every 600 seconds, yet no corresponding process IDs (PIDs) were visible in standard system listings. The attackers achieved this by using an undocumented technique involving Linux bind mounts (now cataloged as MITRE ATT&CK T1564.013), where they mounted process directories like /proc/[pid] to temporary filesystems (tmpfs). This method effectively hid their malicious processes from view. Furthermore, memory dumps revealed they masqueraded their binaries as legitimate system processes, such as “lightdm,” executing them from unusual paths like /tmp and /var/snap/.snapd.
Once inside, the threat actors used a centrally located Network Monitoring Server as a pivot point to move laterally across the data center’s critical systems.
This server’s extensive connectivity gave them broad access to the internal network. The campaign’s resilience was demonstrated by its ability to maintain persistence even after the Raspberry Pi was discovered and removed. The attackers had already established a secondary backdoor on an internet-exposed Mail Server, ensuring their continued access and making containment efforts significantly more challenging.
The group’s end goal was to compromise the ATM switching server by deploying the CAKETAP rootkit. This specialized malware was designed to intercept and manipulate communications with the Hardware Security Module (HSM), allowing the attackers to spoof transaction authorization messages and orchestrate illicit cash withdrawals from ATMs. Fortunately, incident responders detected and halted the operation before UNC2891 could achieve its final objective.
The multi-stage attack, combining a physical backdoor, network pivoting, and Dynamic DNS for C2 agility, underscored the sophisticated nature of the threat.
Detecting this campaign proved difficult for standard security tools, requiring advanced forensic methods. Investigators had to use custom scripts to capture network socket connections at high frequency and perform deep memory analysis to uncover the hidden processes and connections. Based on these findings, experts recommend several defensive measures: monitoring mount and umount syscalls using auditd or eBPF, alerting on any mounts of /proc/[pid] directories, restricting process execution from temporary paths, securing physical switch ports, and integrating memory imaging into incident response playbooks. This incident emphasizes the critical need for integrated security models that address both physical and logical threats in high-security environments like banking.
Reference:
