Table of Contents
A covert attack targeting ATM infrastructure has been observed using a hidden Raspberry Pi device to breach internal bank systems.
The intrusion involved physical access, a rarely seen anti-forensics technique and malware designed to avoid standard detection methods.
Attackers Gained Physical Access to ATM Network
A threat group identified as UNC2891 physically connected a Raspberry Pi device to a network switch shared with an ATM. Equipped with a 4G modem, the device allowed attackers to remotely access the bank’s internal network over mobile data, completely bypassing perimeter firewalls.
The attackers installed a custom backdoor called TINYSHELL, which established outbound connections via a dynamic DNS domain. This provided persistent external access and allowed the device to communicate continuously with command-and-control (C2) infrastructure.
Forensic analysts from Group-IB detected periodic beaconing every 600 seconds, but no suspicious processes were visible during triage. This led to further investigation of system behavior during idle states.
Malware Masked as Legitimate System Process
Deeper analysis revealed a stealthy malware component masquerading as a legitimate system process.
Two instances of a process named “lightdm” were found running from unusual locations, /tmp/lightdm and /var/snap/.snapd/lightdm. These backdoor processes appeared normal at a glance but were actually establishing connections to the Raspberry Pi and the bank’s internal mail server.
The malware’s concealment relied on a technique now recognized in MITRE ATT&CK as T1564.013. By abusing Linux bind mounts, the attackers hid the backdoor from process listings, making it invisible to most forensic triage tools.
Read more on memory analysis techniques: Malware Analysis Reveals Sophisticated RAT With Corrupted Headers
ATM Switching Server and HSM Manipulation Aims
UNC2891 aimed to compromise the ATM switching server in order to deploy a rootkit known as CAKETAP, which was built to spoof authorization responses from hardware security modules and facilitate fraudulent ATM withdrawals.
Although the attackers were ultimately stopped before completing their objective, the investigation revealed several key insights.
They had maintained access through both the Raspberry Pi device and the bank’s mail server, using a dynamic DNS domain to obscure infrastructure changes and avoid disruption.
The network monitoring server, which connected to nearly every system in the data center, served as a crucial pivot point, allowing lateral movement across the internal environment.
Detection and Response Recommendations
Group-IB advised organizations to:
-
Monitor mount and unmount syscalls with tools like auditd or eBPF
-
Alert on /proc/[pid] mounted to tmpfs or external filesystems
-
Block or monitor binaries executed from /tmp or .snapd directories
-
Secure all physical switch ports and ATM-connected infrastructure
-
Capture memory images in addition to disk during incident response
The case highlights the evolving tactics of financially motivated attackers. The technique showed that physical access, combined with obscure Linux features and memory-resident malware, can undermine even well-defended systems.
