UNC2891: ATM Threats Never Die

In the past, groups such as MoneyTaker, Silence, and Cobalt shook the financial sector with bold, high-impact attacks. While they’ve faded from the spotlight, the threat hasn’t diminished but has instead evolved. Today, actors like UNC2891 represent a new wave: better prepared, technically sophisticated, and operationally disciplined. This group tries not to attract attention, but it’s quietly achieving results, targeting financial institutions with advanced tactics and tailored campaigns.

UNC2891 deployed a range of custom malware, including CAKETAP (a Solaris/Linux rootkit), SLAPSTICK (PAM backdoor with “magical password”), TINYSHELL (backdoor), WINGHOOK (keylogger), and LOGBLEACH/MIGLOGCLEANER (log wipers). These were disguised with legitimate-looking filenames, encrypted logs, timestomping, and obfuscation to stay undetected for years.

In several cases, attackers maintained undetected access for years (earliest compromise traced back to 2017) across dozens of hosts. They infiltrated ATM switching servers, production servers, and jump hosts, using chained backdoors and modified binaries to ensure persistence.

UNC2891 demonstrated creativity in infiltration and lateral movement, including physically attaching a Raspberry Pi to ATM network switches, exploiting SSH with SLAPSTICK’s magical password, and leveraging stolen credentials via WINGHOOK. For covert command-and-control, the group relied on tunneling tools like iodine (DNS tunneling) and OpenVPN, chaining backdoors across multiple hosts to sustain access.

The group ran sophisticated money mule recruitment operations, often via Google ads or Telegram. Mules received cloned card equipment and instructions over TeamViewer. Attackers guided them step-by-step to insert cloned cards into ATMs, enabling large-scale cash-out operations while distancing themselves from direct exposure.

We will examine three incident response cases that Group-IB specialists handled on behalf of their clients over these past several years.

We will provide an in-depth description of the TTPs employed by the attackers in the observed attacks.

We will also present a comprehensive list of malware used by the attackers, highlighting their similarities across different attacks, and examine other related artifacts.

We will provide insights into how the attackers hire and manage money mules, including the instructions they provide to the money mules, where they are recruited, and how they interact.