- Computer pirates installed a 4G Raspberry Pi inside a bank’s automatic switch to obtain network access
- The device disguised and communicated every 600 seconds, avoiding typical detection systems
- Malware used false names of Linux and dark directories to mix with a legitimate activity of the system
A criminal group recently tried an unusual and sophisticated intrusion, in the ATM infrastructure of a bank displaying a raspberry pod enabled for 4G.
A Group-IB report revealed that the device was installed covert in a network switch used by the ATM system, placing it within the internal banking environment.
The group behind the operation, UNC2891, exploited this physical access point to completely avoid defenses of the digital perimeter, illustrating how physical commitment can still overcome software -based protection.
Exploit physical access to digital defenses of omitting
The Raspberry Pi served as an undercover point of entry with remote connectivity capabilities through its 4G modem, which allowed persistent access and control access from outside the institution’s network, without activating typical alerts of firewall protection or end point.
“One of the most unusual elements of this case was the use of physical access by the attacker to install a Raspberry Pi device,” wrote digital forensic specialist and Group-IB incident response, Nam Le Phuong.
“This device was connected directly to the same network switch as the ATM, effectively placing it within the Bank’s internal network.”
Using mobile data, the attackers maintained a low profile presence while implementing personalized malware and began lateral movements within the bank infrastructure.
A particular tool was used, known as Tinyshell, to control network communications, allowing the data invisibly in multiple internal systems.
Forensics later revealed that UNC2891 used a layer approach for obfuscation.
The malware processes were called “Lightdm”, imitating the legitimate processes of the Linux system.
These rear extended from atypical directories such as /TMP, which makes them combine with functions of the benign system.
In addition, the group used a technique known as Linux link frames to hide forensic tools process metadata, a method that does not usually see in active attacks so far.
Since then, this technique has been classified in the framework Miter Att & CK due to its potential to avoid conventional detection.
The researchers discovered that the bank monitoring server was communicating silently with the Raspberry Pi every 600 seconds, the behavior of the network that was subtle and, therefore, did not stand out immediately as malicious.
However, the deepest memory analysis revealed the deceptive nature of the processes and that these communications extended to an internal mail server with persistent Internet access.
Even after eliminating the physical implant, the attackers had kept access through this secondary vector, showing a calculated strategy to guarantee continuity.
Ultimately, the objective was to compromise the ATM switching server and implement the Caketp Caket Custom Caketap, which can manipulate hardware safety modules to authorize illegitimate transactions.
Such tactics would allow fraudulent cash withdrawals while legitimate to bank systems.
Fortunately, the intrusion stopped before this phase could be executed.
This incident shows the risks associated with the growing convergence of physical access tactics and advanced anti-formal techniques.
It also reveals that beyond remote piracy, internal threats or physical manipulation can facilitate identity theft and financial fraud.
