LightBasin group uses Unix Rootkit to steal ATM data

Information security specialists tracking the activities of a financially motivated group of LightBasin hackers have discovered a new Unix rootkit that is used to steal ATM data and conduct fraudulent transactions.

According to researchers from Mandiant, the new LightBasin rootkit is a Unix kernel module called Caketap, which is installed on servers running the Oracle Solaris operating system. Caketap hides network connections, processes and files, and also installs several hooks into system functions to get remote commands and configurations.

Experts found the following commands:

• Add the CAKETAP module back to the list of loaded modules.

• Change the signal string for the getdents64 hook.

• Add a network filter (p format).

• Remove the network filter

• Set the TTY of the current stream so that it is not filtered by the getdents64 hook.

• Configure filtering of all TTY using the getdents64 hook.

• Display the current configuration.

The main task of Caketap is to intercept bank card and PIN verification data from hacked ATM switching servers, and then use the stolen data to facilitate unauthorized transactions.

The messages intercepted by Caketap are intended for the Payment Hardware Security Module (HSM), a hardware device protected from unauthorized access, used in the banking sector to create, manage and verify cryptographic keys for PIN codes, magnetic strips and EMV chips.

“We believe that CAKETAP was used by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards for unauthorized cash withdrawals at ATMs in several banks,” Mandiant noted.

In addition to Caketap, the group also uses tools such as Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight and Mignogcleaner in its attacks.