Following the activities of LightBasin, a financially motivated group of hackers, threat analysts have discovered a previously undisclosed Unix rootkit that is used to steal ATM banking data and execute fraudulent transactions. The specific gang of adversaries has lately been seen attacking telecom businesses with tailored implants, as well as compromising managed service providers and victimizing their clients back in 2020. Researchers give more proof of LightBasin activities in a new report from Mandiant, focused on bank card theft and the penetration of critical infrastructure.
The latest rootkit from LightBasin is a Unix kernel module called “Caketap” that is installed on Oracle Solaris systems. Caketap conceals network connections, processes, and files when it is loaded, and it installs various hooks into system services so that remote instructions and configurations may be received. The analysts observed the following commands:
- Add the CAKETAP module back to the loaded modules list
- Change the signal string for the getdents64 hook
- Add a network filter (format p)
- Remove a network filter
- Set the current thread TTY to not to be filtered by the getdents64 hook
- Set all TTYs to be filtered by the getdents64 hook
- Displays the current configuration
Caketap’s ultimate purpose is to steal financial card and PIN verification data from hacked ATM switch servers and exploit it to facilitate fraudulent transactions. Caketap intercepts data on their way to the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking sector to generate, manage and validate cryptographic keys for PINs, magnetic stripes, and EMV chips.
Caketap tampers with card verification messages, stopping those that match fraudulent bank cards and generating a valid response. The second phase preserves legitimate messages that internally match non-fraudulent PANs (Primary Account Numbers) and delivers them to the HSM, ensuring that regular client transactions are not disrupted and that implant activities stay undetected.
“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” clarifies Mandiant’s report. Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner are other tools related to the actor in prior attacks, all of which Mandiant verified are still used in LightBasin attacks.
LightBasin is a highly skilled threat actor that exploits deficient security in mission-critical Unix and Linux systems, which are frequently viewed as fundamentally safe or mostly ignored due to their obscurity. LightBasic and other attackers flourish in this environment, and Mandiant expects them to continue to use the same operating model. In terms of attribution, the analysts saw some parallels with the UNC1945 threat cluster, but they don’t have enough clear evidence to draw any judgments.
