Unseen Threat: Group-IB Exposes How Hackers Use Linux Bind Mounts to Hide ATM Attack
Ddos 
Group-IB has detailed a sophisticated intrusion by threat actor UNC2891 that blended physical access, anti-forensics, and Linux backdoor stealth to target ATM switching systems. At the heart of the campaign was a novel use of Linux bind mounts to conceal activity—now officially recognized as a new MITRE ATT&CK technique: T1564.013 (Hide Artifacts: Bind Mounts).
Unlike most cyberattacks that begin online, UNC2891 opted for a bold move—physical infiltration. Group-IB discovered that the attackers installed a Raspberry Pi device directly into the bank’s internal ATM network.
“This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network,” the report states.
The Pi, equipped with a 4G modem, acted as a remote command-and-control (C2) gateway, bypassing traditional perimeter defenses.
Using the TINYSHELL backdoor, the Raspberry Pi established persistent outbound C2 via a Dynamic DNS (DDNS) domain, enabling constant access without triggering alerts.
However, its stealth didn’t hold forever. Memory and network forensics were ultimately responsible for detection.
“Despite the stealthy placement of the device, a forensic review of the network monitoring server revealed several unusual behaviors,” including beaconing every 600 seconds and connections to port 929, the analysts observed.
Further investigation uncovered processes designed to masquerade as legitimate services. The malicious process appeared as:
But was located in nonstandard paths:
- /tmp/lightdm
- /var/snap/.snapd/lightdm
“The process is executed with command-line arguments resembling legitimate parameters… in an effort to evade detection and mislead forensic analysts,” Group-IB reports.
Even more alarming was the use of Linux bind mounts to hide these processes from forensic tools. This technique was previously undocumented in public threat reports.
“The attacker leveraged Linux bind mounts to hide backdoor processes from conventional detection tools—a technique that had not been documented… now cataloged as T1564.013,” Group-IB confirmed.
The endgame for UNC2891 was access to the ATM switching server. Their plan involved deploying CAKETAP, a rootkit designed to tamper with Hardware Security Module (HSM) responses and forge ATM authorization messages to enable fraudulent withdrawals.
Fortunately, Group-IB intervened before the attackers could execute their plan.
The attackers didn’t rely on a single point of entry. After the Raspberry Pi was removed, internal access persisted through a backdoor on the bank’s Mail Server—a system with direct internet connectivity.
“This multi-pivot access path – combining physical, network, and infrastructure control – made containment especially challenging,” Group-IB emphasized.
To maintain resilience, UNC2891 used DDNS infrastructure to rapidly rotate IPs and obscure ownership, ensuring uninterrupted command-and-control operations.
Group-IB’s investigation highlights that the most dangerous threat actors aren’t just remote—they’re physically embedded, technically advanced, and increasingly difficult to detect using conventional triage tools.
“The absence of any evidence in the process list further deepened concerns, prompting investigators to capture a memory dump for deeper analysis,” the report concludes.
Security teams are urged to expand detection beyond surface processes and embrace deeper memory, mount, and socket analysis techniques—because attackers like UNC2891 aren’t playing by the old rules.
Related Posts:
- All Raspberry Pi Devices were not affected by the Meltdown and Spectre Vulnerabilities
- Bitcoin ATM Scams Surge with Over $110 Million in Losses in 2023
- Developer makes Windows 10 to run on Raspberry Pi 3
- Secure Email Gateways Fail to Stop Advanced Phishing Campaign Targeting Multiple Industries
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
