UNC2891 Threat Actors Hacked ATM Networks Using 4G Raspberry Pi Device

A financially motivated threat group known as UNC2891 orchestrated a sophisticated attack on banking infrastructure by physically installing a 4G-equipped Raspberry Pi device directly into an ATM network, security researchers from Group-IB revealed this week.

The campaign represents a rare instance of cybercriminals combining physical access with advanced anti-forensics techniques to target critical financial systems.

The attack, which was ultimately thwarted before completion, demonstrated how threat actors are evolving beyond traditional digital infiltration methods to exploit physical vulnerabilities in banking networks.

Investigators discovered the Raspberry Pi connected directly to the same network switch as an ATM, effectively placing the device within the bank’s internal network perimeter.

Physical Backdoor Establishes Persistent Access

The attackers equipped the Raspberry Pi with a 4G modem, enabling remote command-and-control operations through mobile data connections that completely bypassed traditional perimeter firewalls and network defenses.

Using a custom backdoor called TINYSHELL, the device established outbound communication channels via Dynamic DNS domains, providing continuous external access to the compromised network.

“This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network,” Group-IB researchers noted in their analysis. The setup enabled the attackers to maintain persistent access while avoiding detection through conventional network monitoring systems.

Perhaps most significantly, the investigation revealed UNC2891’s use of a previously undocumented anti-forensics technique involving Linux bind mounts to hide malicious processes from detection tools.

This method has since been officially recognized by MITRE and cataloged in the ATT&CK framework as technique T1564.013 (Hide Artifacts: Bind Mounts).

The attackers deployed backdoors masquerading as legitimate system processes named “lightdm,” mimicking the standard LightDM display manager found on Linux systems.

However, these malicious binaries were located in unusual directories including /tmp/lightdm and /var/snap/.snapd/lightdm, with command-line arguments designed to appear legitimate.

Standard forensic triage tools failed to detect these processes because the threat actors used bind mounts to overlay malicious process directories with benign ones, effectively rendering the backdoors invisible to conventional analysis methods.

The ultimate objective of UNC2891’s campaign was to deploy CAKETAP, a sophisticated rootkit designed to manipulate Hardware Security Module (HSM) responses and facilitate fraudulent ATM cash withdrawals.

The malware was engineered to intercept card and PIN verification messages, enabling unauthorized transactions while maintaining the appearance of normal operations.

The attack highlighted critical gaps in traditional forensic approaches. Initial triage failed to reveal the backdoors because they were hidden during system idle states, requiring memory forensics and continuous network monitoring to uncover the malicious activity.

Security experts now recommend implementing several defensive measures: monitoring mount and umount system calls via tools like auditd or eBPF, alerting on unusual /proc/[pid] mounts, blocking executions from temporary directories, securing physical network infrastructure, and incorporating memory analysis in incident response procedures.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches