(picussecurity.com) UNC2891: Anatomy of a Sophisticated Bank Heist Using CAKETAP Rootkit and Raspberry Pi-Based Attacks

UNC2891, a financially motivated threat group active since 2017, has executed sophisticated attacks on banking infrastructure using custom malware and physical access vectors. Their latest campaign in Q1 2025 involved planting a 4G-enabled Raspberry Pi on a bank’s network switch to bypass perimeter defenses, enabling ATM fraud via Payment HSM manipulation.

In brief - UNC2891 targets financial institutions with advanced Linux/Solaris malware, including the CAKETAP rootkit, to authorize fraudulent ATM withdrawals. A recent attack used a Raspberry Pi for initial access, highlighting evolving physical and digital threats to banking systems.

Technically - UNC2891 employs CAKETAP (Solaris kernel rootkit) to hook system calls like `mkdirat` and `ipcl_get_next_conn`, enabling stealthy C2 and network manipulation. SLAPSTICK (PAM backdoor) captures credentials, while TINYSHELL (backdoor) communicates over raw TCP (ports 53/443). Tools like WINGHOOK (keylogger) and STEELHOUND (in-memory dropper) facilitate credential harvesting and payload execution. The CAKETAP variant on ATM switches bypasses card/PIN verification by replaying HSM responses.

Source: https://www.picussecurity.com/resource/blog/unc2891-bank-heist-explained-caketap-rootkit-and-raspberry-pi-attack

#Cybersecurity #ThreatIntel

@orlysec Physical implant + Solaris rootkit :O