Cybersecurity researchers have uncovered the full scope of a multi-year, UNC2891 ATM fraud campaign against two Indonesian banks.
In addition to the Raspberry Pi-based ATM infiltration that was identified in early July, the latest Group-IB study demonstrates that the UNC2891 threat group was operating as part of a much larger campaign that involved recruiting money mules, creating cloned cards for use at ATMs and coordinating cash withdrawal networks.
According to the report, the UNC2891 threat group conducted three different attacks against Bank A (February 2022), Bank B (November 2023) and Bank A again (July 2024), with the threat actor using the same STEELCORGI packing tool to create each attack.
Group-IB found that UNC2891 operated an extensive money extraction network that extended well beyond the technology used to breach a bank’s systems. The threat group created ads on Google and posted information on Telegram channels to recruit money mules.
Once they had located a potential money mule, they would provide them with cloned card equipment, which would be shipped via a postal service to the mule, who would then withdraw funds from ATMs using real-time TeamViewer access and/or telephone coordination with the handler.
Advanced PIN Bypass and Persistent Access
UNC2891 developed a robust malware package that included CAKETAP, a sophisticated rootkit designed to manipulate ATM transaction verification. The rootkit enabled attackers to intercept and replace legitimate PIN verification messages, thereby bypassing ATM verification processes.
CAKETAP also manipulated ARQC responses from Hardware Security Modules (HSMs) to allow attackers to pass verification protocols with cloned cards.
Read about additional advanced ATM security: SuperCard X Enables Contactless ATM Fraud in Real-Time
Persistence was achieved using a set of custom-developed backdoors on dozens of compromised systems:
- TINYSHELL created covert connections to the UNC2891 C2 server using dynamic DNS
- SLAPSTICK collected authentication credentials using a PAM library it had previously compromised
- SUN4ME, a reconnaissance toolkit, created detailed maps of the network topology
Redundancy was maintained by providing multiple communication methods, such as DNS tunneling, OpenVPN connections and encrypted HTTPS channels.
Anti-Forensics and Attribution
The UNC2891 threat group used LOGBLEACH and MIGLOGCLEANER log-wiping tools to remove evidence of their actions from system logs. The threat group also planted init scripts and systemd service files to make sure their backdoors automatically started after each reboot.
Many of the malware components were named with common filenames and made difficult to find using techniques such as /proc filesystem mounting.
Group-IB is confident that the attacks attributed to UNC2891 are connected because they shared similar cryptographic keys embedded in STEELCORGI for the three separate attacks occurring over several years.
According to the security researchers, the UNC2891 threat group was able to compromise over 30 systems at Bank A during the February 2022 incident alone, indicating that the group was able to maintain a persistent presence at a targeted organization.
“The apparent decline of ATM-focused cybercrime in recent years has led many defenders to deprioritize this attack surface – in budgets, audits, and threat models. That would be a dangerous mistake,” Group-IB warned.
“UNC2891 is proof that ATM threats did not disappear – they simply evolved. Their resurgence, now enhanced by physical access vectors and deeply embedded tooling, suggests a new chapter in financial intrusions.”
