While examining the activities of the LightBasin cybercrime gang, researchers from Mandiant has identified a new Unix rootkit called Caketap, which is used to steal ATM banking data (aka UNC1945).
CrowdStrike researchers says, the China-linked cyber outfit has been operating since 2016, and it employs a sophisticated toolkit. Since 2019, at least 13 telecommunication firms have been hacked by the gang.
Mandiant, is tracking the cluster as UNC2891, with some of its TTP overlapping with another cluster known as UNC1945 involving malware to act sophisticated clearing the tracks.
Mandiant says, one variant of the kernel rootkit had specialized features that enabled it to intercept card and PIN verification messages and use the stolen data to perform fraudulent cash withdrawals from ATM terminals.
UNC2891 often named and configured their TINYSHELL backdoors with values that masqueraded as legitimate services that might be overlooked by investigators, such as systemd (SYSTEMD), name service cache daemon (NCSD), and the Linux at daemon (ATD).
The attack chains use different malware and publicly-available utilities, such as–
- STEELHOUND – A variant of the STEELCORGI in-memory dropper that decrypts an embedded payload and encrypts new binaries
- WINGHOOK – A keylogger for Unix and Linux operating systems that collect data in an encoded manner.
- WINGCRACK – A utility used to parse the encoded data generated by WINGHOOK
- WIPERIGHT – On Linux and Unix-based systems, an ELF utility that deletes log entries about a specific user.
- MIGLOGCLEANER- An ELF utility for Linux and Unix platforms that deletes logs or wipes certain strings from logs.
UNC2891uses their skill and experience to take full advantage of the decreased visibility and security measures that are often present in Unix and Linux environments. While some of the overlaps between UNC2891 and UNC1945 are notable, it is not conclusive enough to attribute the intrusions to a single threat group.