A tiny Raspberry Pi device, no bigger than a credit card, has emerged as a deadly weapon in modern ATM heists.
The financially motivated threat actor UNC2891 has used this pocket-sized computer to breach bank networks in Southeast Asia, blending physical tampering with sophisticated cyber tactics.
Group-IB’s new report exposes how these hackers maintained undetected access since 2017, targeting Linux, Unix, and Oracle Solaris systems in banking infrastructure.
By hiding Raspberry Pi boards behind ATMs and linking them to internal switches via 4G modems, attackers bypassed firewalls and gained remote control.
This hardware-cyber fusion enables them to manipulate transactions in real time, siphoning cash without triggering alerts.
UNC2891’s operations reveal a mature ecosystem. Researchers analyzed three incident-response cases from APAC financial institutions and mapped a kill chain that begins with physical access.
Attackers scout ATMs, install the Raspberry Pi on the same network switch, and establish persistence using anti-forensic tricks like Linux bind mount abuse (MITRE ATT&CK T1564.013).
This hides malicious files by overlaying clean directories over compromised ones, evading detection during scans. Once inside, they deploy six custom malware families:
| Malware | Function | Key Features |
|---|---|---|
| CAKETAP | Rootkit for HSM manipulation | Spoofs transactions, alters PIN verification |
| TINYSHELL | Lightweight backdoor | Enables remote shell access |
| SLAPSTICK | Credential logger | Captures admin logins silently |
| SUN4ME | Reconnaissance toolkit | Scans networks, exploits vulns |
| STEELCORGI | Encryption packer | Obfuscates payloads |
| WINGHOOK | Keylogger/decoder | Logs keystrokes on Unix/Linux |
Additional tools like MIGLOGCLEANER tamper with logs, wiping traces. Group-IB found common artifacts across attacks, including TeamViewer sessions for cash-out coordination.
ATM Threats Never Die
UNC2891 recruits money mules via Telegram channels and Google Ads, instructing them on cloning cards and withdrawing funds.
In one case, mules used skimmers to capture card data, then hit ATMs en masse.
At the same time, hackers remotely approved fake transactions via compromised switching servers. This blurs digital theft with physical crime, netting millions.
The group differs from similar actors, such as UNC1945, through its Unix expertise and bespoke tools.
Detection lagged seven years due to stealthy TTPs. However, Group-IB provides YARA rules and mitigations: segment ATM networks, monitor for rogue 4G devices, and audit bind mounts.
Banks must evolve. Traditional perimeter defenses fail against hybrid attacks.
Regular hardware inspections, network micro-segmentation, and behavioral analytics can stop Raspberry Pi intrusions.
