- The pirates installed a Raspberry Pi 4G in the ATM switch of a bank to obtain access to the network
- The device was disguised and communicated every 600 seconds, avoiding typical detection systems
- Malventy software has used false Linux names and obscure directories to blend into a legitimate system activity
A criminal group recently attempted an unusual and sophisticated intrusion into the ATM infrastructure of a bank in deployment of a 4G compatible Raspberry Pi.
A Group-IB report revealed that the device was secretly installed on a network switch used by the ATM system, placing it in the internal banking environment.
The group behind the operation, UNC2891, has exploited this physical access point to completely bypass the defenses of the digital perimeter, illustrating how physical compromise can always exceed software protection.
Exploit physical access to the contributions of digital defenses
The Raspberry Pi served as a secret entry point with remote connectivity capabilities via its 4G modem, which has enabled persistent command and control access from outside the institution’s network, without triggering typical fire or termination protection alerts.
“One of the most unusual elements of this case was the use by the attacker of physical access to install a Raspberry Pi device,” wrote Nam Le Phuong.
“This device was connected directly to the same network switch as GAM, placing it effectively inside the internal network of the bank.”
Using mobile data, the attackers maintained a low profile presence while deploying personalized malware and by initiating side movements in the bank’s infrastructure.
A particular tool, known as Tinyshell, has been used to control network communications, allowing data to pass invisible on several internal systems.
Legal medicine later revealed that UNC2891 used a layer approach to obscure.
The malware processes have been called “Lightdm”, imitating legitimate Linux processes.
These bomb terminals came from atypical directories such as / TMP, which makes them blend with benign system functions.
In addition, the group has used a technique known as Linux bond supports to hide process metadata from forensic tools, a method not generally observed in active attacks so far.
This technique has since been cataloged in the MITER ATT & CK framework because of its potential to elude conventional detection.
Investigators discovered that the bank’s surveillance server communicated silently with the Raspberry Pi every 600 seconds, the behavior of the network which was subtle and therefore did not immediately distinguish itself as malicious.
However, a deeper memory analysis has revealed the deceptive nature of the processes and that these communications extend to an internal messaging server with persistent internet access.
Even after the abolition of the physical implant, the attackers had maintained access via this secondary vector, showing a calculated strategy to ensure continuity.
In the end, the objective was to compromise the ATM switching server and deploy the personalized Caketap Rootkit, which can manipulate the material safety modules to authorize illegitimate transactions.
Such a tactic would allow fraudulent cash withdrawals while seeming to be legitimate for bank systems.
Fortunately, the intrusion was interrupted before this phase could be executed.
This incident shows the risks associated with the growing convergence of physical access tactics and advanced anti-rocked techniques.
It also reveals that beyond remote hacking, threats of initiates or physical falsification can facilitate identity theft and financial fraud.
