FortiGuard Labs is aware of a report that a threat actor known as UNC2891 used a previously unknown rootkit to capture banking card and PIN verification data from compromised ATM switch servers. The captured data was used to perform fraudulent transactions. Dubbed Caketap, the rootkit allows the threat actor to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker's remote server.
Why is this Significant?
This is significant because the previously unknown Caketap rootkit deployed by the threat actor for Oracle Solaris systems provides stealth for the attacker's activities and the data it steals can be used for unauthorized financial transactions. The attacks carried out by UNC2891 are financially motivated and could cause great financial damage to the targeted financial institutions.
What is Caketap?
Caketap is a kernel module rootkit used by UNC2891 on Oracle Solaris systems. The rootkit is used to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker's remote server.
The rootkit is capable of intercepting certain messages sent for the Payment Hardware Security Module (HSM) in order to disable proper banking card verification and return a valid response to approve fraudulent banking cards. It also examines PIN verification messages. If PIN verification messages are not for a fraudulent banking card, then Caketap does not disrupt valid verification but saves the messages. If Caketap detects PIN verification messages for fraudulent banking cards, it replays the previously saved valid messages for PIN verification bypass.
Thales, an HSM vendor, describes the Payment Hardware Security Module (HSM) as "a hardened, tamper-resistant hardware device that is used primarily by the retail banking industry to provide high levels of protection for cryptographic keys and customer PINs used during the issuance of magnetic stripe and EMV chip cards (and their mobile application equivalents) and the subsequent processing of credit and debit card payment transactions".
What is UNC2891?
UNC2891 is a threat actor whose main motivation is reportedly for financial gain and has been active for several years. The threat actor is known to not only have extensive knowledge on Oracle Solaris systems, but also Linux and Unix systems.
What Other Tools does UNC2891 Use?
The following tools are reported to have been used by the threat actor:
- SLAPSTICK - the Pluggable Authentication Module (PAM) based backdoor
- Custom version of TINYSHELL - backdoor
- STEELHOUND - in-memory dropper
- STEELCORGI - in-memory dropper
- SUN4ME - toolkits that contains tools to spy on network, host enumeration, exploit known vulnerabilities and wipe logs
- WINGHOOK - keylogger for Linux and Unix systems
- WINGCRACK - utility that is used to decode and display the information collected by WINGHOOK
- BINBASH - ELF utility that executes a shell after the group ID and user ID are set to either "root" or specified values
- WIPERIGHT - ELF utility for Linux and Unix systems and is used to clear specific logs
- MIGLOGCLEANER - ELF utility for Linux and Unix systems that is used to wipe logs or remove certain strings from logs
What is the Status of Coverage?
FotriGuard Labs provide the following AV coverage: