Uncovered Secret Access Point in ATM Infrastructure Exploited through Raspberry Pi Device
In a chilling demonstration of the evolving tactics employed by financially motivated attackers, a recent breach at a major financial institution has shed light on the sophisticated methods used by the North Korean-linked group UNC2891.
The malware, identified as TINYSHELL, employed a concealment technique recognised in MITRE ATT&CK as T1564.013, abusing Linux bind mounts to hide the backdoor from process listings. This cunning strategy allowed the attackers to maintain access not only through the Raspberry Pi device but also the bank's mail server.
The Raspberry Pi device, equipped with a 4G modem, was physically connected to a network switch shared with an ATM. This connection enabled the attackers to remotely access the bank's internal network over mobile data. To further obscure their infrastructure changes and avoid disruption, they utilised a dynamic DNS domain.
Deeper analysis revealed a stealthy malware component masquerading as a legitimate system process named "lightdm". Two instances of this disguised process were found running from unusual locations, /tmp/lightdm and /var/snap/.snapd/lightdm. Despite periodic beaconing every 600 seconds, no suspicious processes were detected during initial triage.
Forensic analysts found that these backdoor processes were establishing connections to the Raspberry Pi and the bank's internal mail server. The network monitoring server, connecting to nearly every system in the data center, served as a crucial pivot point for lateral movement across the internal environment.
The attackers installed a custom backdoor called TINYSHELL, which provided persistent external access to the device. This backdoor established outbound connections via the dynamic DNS domain, allowing continuous communication with command-and-control (C2) infrastructure.
The case underscores the potential danger posed by physical access, combined with obscure Linux features and memory-resident malware, to undermine well-defended systems. In response, cybersecurity firm Group-IB recommended several precautions, including monitoring mount and unmount syscalls, alerting on /proc/[pid] mounted to tmpfs or external filesystems, blocking or monitoring binaries executed from /tmp or .snapd directories, securing physical switch ports, and capturing memory images during incident response.
As financial institutions continue to fortify their digital defences, it is crucial to remain vigilant against the evolving tactics of sophisticated attackers like UNC2891.
