According to security researchers, financially motivated threat actors have targeted bank networks to steal money from ATMs. Read on to know more…
Financially motivated threat actors with the purpose of compromising ATM switching networks and making fraudulent cash withdrawals using counterfeit cards at various banks. It was observed that the threat actors has been observed deploying a previously unknown rootkit targeting Oracle Solaris systems in order to carry out their unauthorized cash withdrawals.
Mandiant, a threat intelligence and incident response firm, has been tracking the cluster under the moniker UNC2891, with some of group’s Tactics, Techniques, and Processes (TTPs) sharing the overlaps with those of another cluster known as UNC1945.
Observations
Mandiant researchers said in a new report published this week that the intrusions staged by the actor involve “a high degree of OPSEC and leverage both public and private malware, utilities, and scripts to remove evidence and hinder response efforts,”
Even more worrying, the attacks in some cases lasted several years, during which time the attacker went undiscovered by taking cover behind a rootkit called CAKETAP, which is meant to hide network connections, processes, and files.
One variant of the kernel rootkit came with specialised features that enabled it to intercept card and PIN verification messages and use the stolen data to perform fraudulent cash withdrawals from ATM terminals, according to Mandiant, which was able to recover memory forensic data from one of the victimised ATM switch servers.
SLAPSTICK and TINYSHELL, two backdoors attributed to UNC1945, are also used to achieve persistent remote access to mission-critical systems, as well as shell execution and file transfers via rlogin, telnet, or SSH.
The researchers pointed out “In line with the group’s familiarity with Unix and Linux based systems, UNC2891 often named and configured their TINYSHELL backdoors with values that masqueraded as legitimate services that might be overlooked by investigators, such as systemd (SYSTEMD), name service cache daemon (NCSD), and the Linux at daemon (ATD),”
Additional Malware Utilities
The attack chains were also discovered to be using a range of malware and publically available utilities, such as the following
* STEELHOUND: A variant of the STEELCORGI in-memory dropper that’s used to decrypt an embedded payload and encrypt new binaries
* WINGHOOK: A keylogger for Linux and Unix based operating systems that captures the data in an encoded format
* WINGCRACK: A utility that’s used to parse the encoded content generated by WINGHOOK
* WIPERIGHT: An ELF utility that erases log entries pertaining to a specific user on Linux and Unix based systems
* MIGLOGCLEANER: An ELF utility that wipes logs or remove certain strings from logs on Linux and Unix based systems
The researchers said “[UNC2891] uses their skill and experience to take full advantage of the decreased visibility and security measures that are often present in Unix and Linux environments,”
“While some of the overlaps between UNC2891 and UNC1945 are notable, it is not conclusive enough to attribute the intrusions to a single threat group.”