A new rootkit has been detected in the wild, targeting Oracle Solaris systems and aiming at ATMs. According to Mandiant research and analysis, the so-called UNC2891 threat actors initiated rootkit intrusions that appeared to be financially motivated, in some cases spanning several years through which the actor had remained largely undetected.
The rootkit itself is known as CAKETAP. One of the rootkit’s variants has been observed manipulating messages transiting a victims ATM switching network.
“One Variant of CAKETAP manipulated messages transiting a victims Automatic Teller Machine (ATM) switching network. It is believed this was leveraged as part of a larger operation to perform unauthorized cash withdrawals at several banks using fraudulent bank cards,” Mandiant said.
Backdoor Deployed Simultaneously with CAKETAP Rootkit
In fact, the research team had previously observed UNC2891 intrusions that made “extensive use” of a PAM-based backdoor known as SLAPSTICK. The backdoor helped carry out credential harvesting campaigns, as well as providing backdoor systems to compromised machines in affected networks. Long story short, SLAPSTICK provides persistent backdoor access to infected systems with a hard-coded password (“magical”), while also logging authentication attempts and passwords in an encrypted log file.
It is noteworthy that, although SLAPSTICK log files were often timestomped, Mandiant researchers decoded them and traced some of the actor’s lateral movement activities through the usage of the backdoor-provided “magical” password.
Another backdoor observed in the CAKETAP rootkit attacks is TINYSHELL. This backdoor applied an external encrypted configuration file, with some variants including additional functionality, such as the ability to communicate through a HTTP proxy with basic authentication.
Following the threat group’s knowledge of Unix and Linux-based systems, they often named and configured the TINYSHELL backdoors with values hidden as legitimate services that security researchers could miss, like systemd, name service cache daemon, and Linux at daemon.
More about the CAKETAP Rootkit?
According to Mandiant’s report, CAKETAP is a kernel module rootkit deployed on key server infrastructure running Oracle Solaris. In terms of the rootkit’s capabilities, it can conceal network connections, processes, and files. Furthermore, it can remove itself from the loaded modules list during initialization, also updating the last_module_id with the previously loaded module to hide its presence.
“A hook is installed into the function ipcl_get_next_conn, as well as several functions in the ipmodule. This enables CAKETAP to filter out any connections that match an actor-configured IP address or port (local or remote),” the report added.
This specific variant also implemented an additional hooking functionality that could intercept specific messages related to card and pin verification to perform unauthorized transactions using fake bank cards. The said hooking functionality could manipulate verification messages and replay pin verification messages.
“Based on Mandiant’s investigation findings, we believe that CAKETAP was leveraged by UNC2891 as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” the report concluded.