“One of the most unusual elements of this case was the use of physical access by the attacker to install a Raspberry PI device,” wrote Group-IB Senior Digital Forensic Research and Specialist in Incident Response Nam Le Phuong. “This device is connected directly to the same network switch as the ATM and actually placed it in the internal network of the bank. The Raspberry Pi was equipped with a 4G modem, so that external access was permitted via mobile data.”
To maintain perseverance, UNC2891 also compromised an e -mail server because it had a constant internet connectivity. The Raspberry Pi and the backdoor of Mail Server would then communicate by using the bank's guard server of the bank as an intermediary. The security server was chosen because it had access to almost every server within the data center.
The network monitor server as an intermediary between the Raspberry Pi and the mail server.
Credit: Group-IB
The network monitor server as an intermediary between the Raspberry Pi and the mail server.
Credit: Group-IB
As Group-IB initially investigated the bank's network, researchers saw an unusual behavior on the security server, including an outgoing beacon signal every 10 minutes and repeated connection attempts to an unknown device. The researchers then used a forensic tool to analyze communication. The tool identified the end points as a Raspberry Pi and the mail server, but could not identify the process names responsible for beacon.
The forensic triage tool cannot collect the relevant process name or ID that is linked to the socket.
Credit: Group-IB
The forensic triage tool cannot collect the relevant process name or ID that is linked to the socket.
Credit: Group-IB
The researchers then recorded the system memory while the beacons were sent. The assessment identified the process as lightdmA process associated with an Open Source Lightdm Display Manager. The process seemed to be legitimate, but the researchers thought it was suspicious because the Lightdm -binary number was installed in an unusual location. After further research, the researchers discovered that the processes of the adjusted back door were deliberately disguised in an attempt to throw researchers from the scent.
Phuong explained:
The rear end process is deliberately obscured by the threat actor by using process maskading. In particular, the binary number is called “Lightdm” and the legitimate lightdm display manager mimics that is often found on Linux systems. In order to improve the deception, the process is carried out with commissioned arguments that resemble legitimate parameters-for example, for example
Lightdm-Session Child 11 19-in an attempt to avoid detection and to mislead forensic analysts during research after the compromise.
These backdoors actively made connections on both the Raspberry Pi and the internal e -mail server.
As noted earlier, the processes were disguised using the Linux bind confirmation. After that discovery, Group-IB added the technology to the Miter Att & CK framework as “T1564.013 artifacts hide: binding mounts.”
Group-IB did not say where the compromised switching equipment was or how attackers managed to plant the Raspberry Pi. The attack was detected and closed before UNC2891 could achieve its ultimate goal to infect the ATM shift network with the Caketap rack.
