Redazione RHC : 23 November 2025 09:38
Group-IB experts presented a detailed analysis of the long-running UNC2891 campaign, which demonstrated the continuing sophistication of ATM attack schemes.
Attention focused on the Raspberry Pi, which the attackers used to access the infrastructure of two Indonesian banks. However, it emerged that the physical intrusion into the ATM was only part of a larger criminal operation, designed to control the entire process, from host compromise to cash withdrawal, through a network of proxies.
According to Group-IB , UNC2891 conducted three separate intrusions: against one bank in February 2022, against another in November 2023, and then back to the first in July 2024.
The same STEELCORGI packaging was used in all cases, allowing the incidents to be linked. During the first intrusion, the attackers gained control of over 30 systems, ensuring a long-term presence in the organization’s infrastructure.
The report shows that technical interference was only part of the overall plan . The group actively recruited proxies to withdraw funds by posting ads on search engines and anonymous channels. Delivery of the cloned card processing equipment was handled via email services, and the withdrawal process was controlled remotely, using TeamViewer or voice instructions from coordinators.
The key element of the attack complex was the CAKETAP malware module, a modified rootkit that intercepted and modified messages within ATM logic, bypassing PIN verification. Furthermore, CAKETAP interfered with the ARQC responses of HSM hardware modules, allowing counterfeit cards to be used as if they were legitimate. Given the active use of physical access, this combination allowed the group to operate virtually undetected.
A set of custom-developed programs ensured persistent presence within the infrastructure. TINYSHELL created hidden connections to the C&C server via dynamic DNS; SLAPSTICK collected credentials using the previously implemented PAM library; SUN4ME constructed an internal network diagram and identified hosts of interest; alternative communication channels were provided via DNS tunneling, Open VPN connections, and secure HTTPS channels.
To conceal their presence, the LOGBLEACH and MIGLOGCLEANER tools were used to remove traces from the logs. Additional init scripts and systemd service files activated backdoors after reboots. The visibility of malicious modules was reduced by masking them with common system names and using /proc mounting techniques, which hindered their analysis.
Group-IB links all three episodes via identical cryptographic keys embedded in STEELCORGI . This repetition of key artifacts across different periods indicates a single team operating for several years and equipped with the necessary resources for infrastructure maintenance, logistics, and remote frontline network management.
Analysts emphasize that the decline in high-profile ATM incidents does not mean the threat has disappeared. The example of UNC2891 demonstrates that attention has shifted to combined schemes, in which physical intrusion is combined with thorough technical preparation, and the withdrawal chain is designed with the same care as the bank’s malicious mechanisms.
Redazione