Following the activities of LightBasin, a financially motivated group of hackers, threat analysts have discovered a previously undisclosed Unix rootkit that is utilized to capture ATM banking data and execute fraudulent transactions.
The specific group of adversaries has lately been seen targeting telecom businesses with tailored implants, as well as hacking managed service providers and victimising their clients back in 2020.
Researchers present more proof of LightBasin activities in a new paper from Mandiant, focused on bank card fraud and the compromise of critical infrastructure. The new rootkit from LightBasin is a Unix kernel module called "Caketap" that is installed on servers running Oracle Solaris systems.
Caketap hides network connections, processes, and files when it is loaded; it installs various hooks into system services so that remote commands and configurations can be received.
The various commands observed by the analysts are as follows:
• Add the CAKETAP module back to the loaded modules list
• Change the signal string for the getdents64 hook
• Add a network filter (format p)
• Remove a network filter
• Set the current thread TTY to not to be filtered by the getdents64 hook
• Set all TTYs to be filtered by the getdents64 hook \
• Displays the current configuration
Caketap's ultimate purpose is to steal financial card and PIN verification data from compromised ATM switch servers and utilise it to enable fraudulent transactions.
Caketap intercepts data on their way to the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to generate, manage and validate cryptographic keys for PINs, magnetic stripes, and EMV chips.
Caketap tampers with card verification messages, blocking those that match fraudulent bank cards instead of generating a genuine response.
In a second phase, it saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and delivers them to the HSM, ensuring that normal customer transactions are not disrupted and implant operations remain undetected.
“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” explains Mandiant’s report.
Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner are further tools related to the actor in prior assaults, all of which Mandiant confirmed are still used in LightBasin attacks.
LightBasin is a highly skilled threat actor that exploits weak security in mission-critical Unix and Linux systems, which are frequently viewed as intrinsically secure or are mostly ignored due to their obscurity.
LightBasin and other attackers thrive in this environment, and Mandiant expects them to continue to use the same operating model.
In terms of attribution, the analysts noticed some overlaps with the UNC1945 threat cluster, but they don't have enough clear evidence to draw any judgments.