{"id":18564,"date":"2022-03-22T14:10:04","date_gmt":"2022-03-22T22:10:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/03\/22\/news-12297\/"},"modified":"2022-03-22T14:10:04","modified_gmt":"2022-03-22T22:10:04","slug":"news-12297","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/22\/news-12297\/","title":{"rendered":"A new rootkit comes to an ATM near you"},"content":{"rendered":"

Credit to Author: Jovi Umawing| Date: Tue, 22 Mar 2022 21:24:19 +0000<\/strong><\/p>\n

It’s not unusual to hear about malware created to affect automated teller machines (ATMs). Malware can be planted<\/a> at the ATM’s PC or its network, or attackers could launch a Man-in-the-Middle (MiTM)<\/a> attack. <\/p>\n

Recently, a new rootkit<\/a>, which the Mandiant Advanced Practices team have named CAKETAP, was found targeting Oracle Solaris systems running on ATM switch servers. This rootkit is a Unix kernel module that performs several malicious tasks to aid attackers\u2014Mandiant tracks it as UNC2891 (aka LightBasin)\u2014in conducting fraudulent ATM transactions.<\/p>\n

CAKETAP has an impressive list of stealth capabilities to hide its presence and activities. It hides network connections, processes, and files. It removes itself from a list of loaded modules on execution and updates data in the last_module_id<\/code> function to reflect data from a previously loaded module.<\/p>\n

This rootkit can conduct fraudulent bank transactions by intercepting specific messages\u2014card and PIN verification messages\u2014sent to the ATM system’s Payment Hardware Security Module (HSM). Banks use this tamper- and intrusion-proof hardware component to generate, manage, and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. When threat actors use a fraudulent card on an affected ATM, CAKETAP alters card verification messages to disable card verification. This, in turn, creates a valid response from the HSM.<\/p>\n

On the other hand, when a regular ATM user uses a valid card on an affected ATM, CAKETAP stores the verification message from a valid transaction, which essentially says that the card is not fraudulent, and forwards it to the HSM, allowing for routine transactions to continue uninterrupted. CAKETAP sends this stored verification message to the HSM to trick it into allowing a fraudulent transaction by sending the stored message.<\/p>\n

“Based on Mandiant\u2019s investigation findings, we believe that CAKETAP was leveraged by UNC2891 as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” Mandiant security researchers said in the report.<\/p>\n

UNC2891 (aka LightBasin) are financially motivated and uses an arsenal of tools in their ATM attack campaigns: two of which are backdoors called TINYSHELL and SLAPSTICK; two decryptors called STEELCORGI and STEELHOUND; a network reconnaissance toolkit named SUN4ME; two keyloggers called WINGHOOK and WINGCRACK; and utilities named BINBASH, WIPERIGHT, and MIGLOCLEANER.<\/p>\n

\n
\"\"
Diagram of UNC2891’s tools in use in an ATM attack (Source: Mandiant)<\/figcaption><\/figure>\n<\/div>\n

Mandiant has noted that, although LightBasin and another threat actor UNC1945<\/a> have overlapping operational tactics, they cannot readily conclude that they are the same. “For example, it is possible that significant portions of UNC2891 and UNC1945 activity are carried out by an entity that is a common resource to multiple threat actors, which could explain the perceived difference in intrusion objectives\u2014a common malware developer or an intrusion partner, for example,” the report concludes.<\/p>\n

The post A new rootkit comes to an ATM near you<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Jovi Umawing| Date: Tue, 22 Mar 2022 21:24:19 +0000<\/strong><\/p>\n

CAKETAP is a new rootkit that can run on ATM switch servers\u2014and its not alone in its ATM attacks.<\/p>\n

The post A new rootkit comes to an ATM near you<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10669,22541,25458,25459,25460,4503,25461,25462,11002,25463,25464,25465,25466,25467,25468,25469,25470,25471,25472],"class_list":["post-18564","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-atm-fraud","tag-atm-malware","tag-atm-rootkit","tag-binbash","tag-caketap","tag-cybercrime","tag-lightbasin","tag-miglocleaner","tag-rootkit","tag-slapstick","tag-steelcorgi","tag-steelhound","tag-sun4me","tag-tinyshell","tag-unc1945","tag-unc2891","tag-wingcrack","tag-winghook","tag-wiperight"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18564"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18564\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18564"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}