A financially motivated threat actor has been observed deploying a previously unknown rootkit targeting Oracle Solaris systems with the goal of compromising Automatic Teller Machine (ATM) switching networks and carrying out unauthorized cash withdrawals at different banks using fraudulent cards.
Threat intelligence and incident response firm Mandiant is tracking the cluster under the moniker UNC2891, with some of the group’s tactics, techniques, and procedures sharing overlaps with that of another cluster dubbed UNC1945.
The intrusions staged by the actor involve “a high degree of OPSEC and leverage both public and private malware, utilities, and scripts to remove evidence and hinder response efforts,” Mandiant researchers said in a new report published this week.
Even more concerningly, the attacks spanned several years in some cases, during the entirety of which the actor remained undetected by taking advantage of a rootkit called CAKETAP, whic is designed to conceal network connections, processes, and files.
Mandiant, which was able to recover memory forensic data from one of the victimized ATM switch servers, noted that one variant of the kernel rootkit came with specialized features that enabled it to intercept card and PIN verification messages and use the stolen data to perform fraudulent cash withdrawals from ATM terminals.
images from Hacker News