XaiJu
dtns
dtns

patreon


Caketap Rootkit Hits ATMs- Threatwire

Added 2022-03-23 16:15:10 +0000 UTC

By Shannon Morse, ThreatWire

We haven’t heard about a new ATM banking hack in a while but this one is pretty cool. Mandiant has been following a group called UNC2891 AKA LightBasin for a couple of years due to their financially motivated hacks and attacks that have continually targeted telecom companies and managed service providers.

LightBasin has a new Unix rootkit, previously undiscovered, that is being used to steal ATM data and make fraudulent transactions. The rootkit, dubbed Caketap, can infect Oracle Solaris servers while adding connections to an attacker-controlled server, hiding itself by obfuscating network connections, files, and processes, then stealing banking card and PIN verification data. It looks for messages that are bound for the Payment Hardware Security Module on these products, which is a hardware chip that manages cryptographic keys for card signatures like the EMV chip, magnetic stripe or PIN.

Caketap finds those messages and changes fraudulent card information to look legitimate. Legit data for valid cards is sent through to the HSM like normal, though still saved, but this keeps it hidden and thus, it doesn’t raise any red flags.

This allows Caketap to authorize a fraudulent card to withdraw money from an ATM.

Often these machines are built on Linux or Unix systems that rely on security through obscurity. LightBasin takes advantage of this by using easily hidden rootkits to infect machines, sometimes for years before being discovered. Mandiant also mentioned in their reporting that there are similarities between UNC 2891 and UNC 1945 but they can’t attribute the attacks to one single target. They also included indicators of compromise in their report.

Caketap:

https://www.mandiant.com/resources/unc2891-overview

https://www.mandiant.com/resources/live-off-the-land-an-overview-of-unc1945

https://www.bleepingcomputer.com/news/security/new-unix-rootkit-used-to-steal-atm-banking-data/

https://thehackernews.com/2022/03/hackers-target-bank-networks-with-new.html


More Creators

Andrew Stevenson

Andrew Stevenson

 gumroad
下平玲夏

下平玲夏

 fantia
FavoriteCat

FavoriteCat

 patreon
hypeart

hypeart

 patreon
Goblinden

Goblinden

 patreon
[NSFW] BIG Officer Bear

[NSFW] BIG Officer Bear

 gumroad
tooko168

tooko168

 fanbox
Sawa

Sawa

 gumroad
jonni peppers

jonni peppers

 patreon
TheNightslibrary

TheNightslibrary

 patreon
Dimitri B

Dimitri B

 patreon
x4fab

x4fab

 patreon
Huludan50430

Huludan50430

 patreon
Sir Hairless

Sir Hairless

 patreon
blade

blade

 fanbox
TwistedPeach

TwistedPeach

 patreon
taltlo

taltlo

 patreon
OfficialBeyondDesire

OfficialBeyondDesire

 patreon
Catalinnn

Catalinnn

 patreon
microtonee

microtonee

 patreon
Tatara

Tatara

 patreon
愛沢 まりも

愛沢 まりも

 fanbox
Charlotte

Charlotte

 patreon
藤咲ういか

藤咲ういか

 fantia
badpeach

badpeach

 patreon
gattatta

gattatta

 gumroad
The Movie Bud

The Movie Bud

 patreon
durexdrache

durexdrache

 patreon
bastardhive

bastardhive

 patreon
Green Orb Games

Green Orb Games

 patreon
katarhein

katarhein

 boosty
noise

noise

 fanbox
Zet0r

Zet0r

 patreon
バーバリアン高本

バーバリアン高本

 fantia
slugbox

slugbox

 patreon
维

fanbox
Nomad Reverse

Nomad Reverse

 fanbox
PatrolNation

PatrolNation

 patreon
ILoveDolls

ILoveDolls

 patreon
toad grumpy

toad grumpy

 fanbox