A hacking group tracked as UNC2891 is using a new Unix rootkit named Caketap to intercept banking card and PIN verification data from compromised ATM switch servers and carry out unauthorized transactions.
Insights from the report
Mandiant discovered Caketap while investigating the activity of the China-linked hacking group LightBasin, also known as UNC1945. Researchers have previously discovered techniques, malware, and utilities overlap between UNC2891 and UNC1945.
In the current campaign, the UNC2891 group deploys Caketap on a key server infrastructure running Oracle Solaris.
This Caketap variant targets specific messages destined for the Payment Hardware Security Module (HSM).
Capabilities of Caketap
Caketap is capable of operating in stealth mode by hiding network connections, processes, and files and deleting any trace of its presence.
One of the variants has additional network hooking functionality that intercepted specific messages related to card and PIN verification.
The malware can manipulate card verification messages and replay PIN verification messages and perform unauthorized cash withdrawals at several banks using fraudulent bank cards.
More about UNC2891
UNC2891 is a financially motivated hacking group that has been operating for several years after remaining largely undetected.
The group has mostly targeted Oracle Solaris-based systems with TINYSHELL and SLAPSTICK backdoors.
It operates with a high degree of OPSEC and leverages both public and private malware (STEELHOUND, STEELCORGI, SUN4ME toolkit, WINGHOOK, and WINGCRACK keyloggers), utilities (BINBASH, WIPERIGHT, and MIGLOGCLEANER), and scripts to remove evidence and hinder response efforts.
Summing Up
Although significant overlaps have been identified between the threat clusters UNC1945 and UNC2891, it is not conclusive enough to attribute the intrusions to a single threat group. UNC2891’s familiarity with Unix and Linux-based systems will help it to capitalize and perform similar operations for financial gain.