New Caketap Unix rootkit used by hackers to steal ATM banking data

March 23, 2022
Caketap Unix Rootkit Hackers ATM Banking Data Financial Malware UNC1945 LightBasin Linux

Researchers have recently found a new Unix rootkit called Caketap which threat actors utilize for stealing ATM banking data. Based on reports, cybersecurity researchers have spotted Caketap while monitoring the activity of the LightBasin cybercrime group, also known as UNC1945.

The LightBasin hacking group, which is affiliated with China, has been actively operating for about seven years now, and according to a researcher, it is abusing a sophisticated toolset. The UNC1945 infected more than ten telecommunication firms since the middle of 2019.

The LightBasin hacking group compromised mobile telephone networks globally and utilized specialized tools to infiltrate telecoms’ calling records and SMS messages.

 

LightBasin has shifted its attack from telecoms to bank customers since Caketap is more efficient for banking schemes.

 

The activity associated with LightBasin has targeted bank customers and focused on card frauds using Caketap.

The Caketap is a Unix rootkit kernel module that the LightBasin threat actor launched on a server that operates Oracle Solaris. Caketap can also run in evasive mode by obfuscating network connections, files, and processes.

After its initialization, Caketap will delete itself from the loaded modules list. Then, it will update the last_module_id with the past loaded module to remove any lingering trace of its existence in the compromised system.

Administrators can review the presence of a hook installed in the ipcl_get_next_conn hook function to identify Caketap that operates on a Solaris system.

Researchers also noted that threat actors created the rootkit to intercept banking card and PIN verification data from infected ATM switch servers and conduct unauthorized transactions. It also enables its developers to manipulate card verification messages and reply to PIN verification messages.

Subsequently, the rootkit will save valid messages that match non-fraudulent Primary Account Numbers internally and disseminate them to the HSM to avoid affecting authentic customer transactions and raising suspicions.

The LightBasin group utilizes their skill and experience to take advantage of the decreased visibility and security measures present in Unix and Linux. Researchers expect that the responsible threat group will increase their activity to exploit this attack and operate a similar modus for financial gain.

About the author