Overview

• UNC2891 physically installed a 4G-enabled Raspberry Pi on a bank’s ATM network switch to bypass perimeter firewalls and secure remote access.
• Attackers deployed the TinyShell backdoor to establish a persistent outbound command-and-control channel via a dynamic DNS domain.
• Forensic analysts uncovered abuse of Linux bind mounts (MITRE ATT&CK T1564.013) and process masquerading under “lightdm” to conceal malware from system tools.
• Threat actors pivoted through the bank’s network monitoring server—which beaconed every 600 seconds to the Raspberry Pi—and maintained persistence by compromising the mail server.
• Group-IB neutralized the operation before the CAKETAP rootkit could be installed, contributed the bind-mount hiding technique to MITRE ATT&CK, and advised banks to strengthen physical security, mount monitoring and memory forensics.