Hackers use new rootkits to attack bank ATMs

According to The Hacker News, threat intelligence and incident response company Mandiant discovered that an unknown hacking group deployed a new Rootkit that targeted Oracle Solaris systems with the goal of disrupting ATM networks and using fake bank cards for unauthorized withdrawals at different banks.

Mandiant is tracking a group of hackers code-named UNC2891, suspecting they may be behind it, and some of the group’s strategies, techniques, and procedures closely coincide with another team called UNC1945.

In a report released last week, Mandiant researchers said the attackers initiated the intrusion involving OPSEC and using public and private malware, utilities, and scripts to remove evidence and impede response efforts. More worryingly, in some cases, attacks have lasted a long time. Attackers have long hidden network connections, processes, and files by exploiting a rootkit called CAKETAP.

The researchers recovered memory forensic data from one of the compromised ATM switch servers, noting that a variant of kernel rootkit has special features capable of intercepting card and PIN authentication and using stolen data to hold money from ATM terminals. In addition, the Rootkit uses two backdoors called SLAPSTICK and TINYSHELL, both attributable to UNC1945, for durable remote access to mission-critical systems via rlogin, telnet, or SSH, shell execution, and file transfer.

“Based on the organization’s familiarity with Unix- and Linux-based systems, UNC2891 often names and configures their TINYSHELL backdoors with values disguised as legitimate services that may be overlooked by investigators, such as systemd (SYSTEMD), name service caching daemons (NCSD), and Linux at daemon (ATD),” the researchers noted. ”

The attack chain uses a variety of malware and publicly available utilities, including:

  • STEELHOUND – A variant of the STEELCORGI in-memory dropper that’s used to decrypt an embedded payload and encrypt new binaries


  • WINGHOOK – A keylogger for Linux and Unix based operating systems that captures the data in an encoded format


  • WINGCRACK – A utility that’s used to parse the encoded content generated by WINGHOOK


  • WIPERIGHT – An ELF utility that erases log entries pertaining to a specific user on Linux and Unix based systems


  • MIGLOGCLEANER – An ELF utility that wipes logs or removes certain strings from logs on Linux and Unix based systems

“UNC2891, with their skills and experience, was able to take full advantage of flaws in security measures in Unix and Linux system environments,” the researchers said. “Although there are similarities between the two organizations, UNC2891 and UNC1945, the evidence that the intrusion was attributed to the same organization is not conclusive enough.”