malware

Threat analysts following the activity of LightBasin, a financially motivated group of hackers, report the discovery of a previously unknown Unix rootkit that is used to steal ATM banking data and conduct fraudulent transactions.

The particular group of adversaries has been recently observed targeting telecom companies with custom implants, while back in 2020, they were spotted compromising managed service providers and victimizing their clients.

In a new report by Mandiant, researchers present further evidence of LightBasin activity, focusing on bank card fraud and the compromise of crucial systems.

LightBasin’s new rootkit is a Unix kernel module named “Caketap” that is deployed on servers running the Oracle Solaris operating system.

When loaded, Caketap hides network connections, processes, and files while installing several hooks into system functions to receive remote commands and configurations.

The commands observed by the analysts are the following:

• Add the CAKETAP module back to the loaded modules list
• Change the signal string for the getdents64 hook
• Add a network filter (format p)
• Remove a network filter
• Set the current thread TTY to not to be filtered by the getdents64 hook
• Set all TTYs to be filtered by the getdents64 hook
• Displays the current configuration

The ultimate goal of Caketap is to intercept banking card and PIN verification data from breached ATM switch servers and then use the stolen data to facilitate unauthorized transactions.

The messages intercepted by Caketap are destined for the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry for generating, managing, and validating cryptographic keys for PINs, magnetic stripes, and EMV chips.

Caketap manipulates the card verification messages to disrupt the process, stops those that match fraudulent bank cards, and generates a valid response instead.

In a second phase, it saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and sends them to the HSM so that routine customer transactions aren’t affected and the implant operations remain stealthy.

“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” explains Mandiant’s report.

Other tools linked to the actor in previous attacks include Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner, all of which Mandiant confirmed as still deployed in LightBasin attacks.

LightBasin is a highly skillful threat actor that takes advantage of relaxed security in mission-critical Unix and Linux systems that are often treated as intrinsically secure or largely ignored due to their obscurity.

This is precisely where adversaries like LightBasic thrive, and Mandiant expects them to continue to capitalize on the same operational strategy.

As for attribution, the analysts spotted some overlaps with the UNC1945 threat cluster but don’t have any concrete links to draw safe conclusions on that front yet.

The ransomware space was very active in the last quarter of 2021, with threat analysts observing 722 distinct attacks deploying 34 different variants.

This massive amount of activity creates problems for the defenders, making it harder to keep up with individual group tactics, indicators of compromise, and detection opportunities.

Compared to Q3 2021, the last quarter had 18% higher attack volume, while the comparison to Q2 2021 results in a difference of 22%, so there’s a trend of increasing attack numbers.

The most prevalent ransomware groups in Q4 2021, according to a report by Intel 471, were LockBit 2.0 (29.7%), Conti (19%), PYSA (10.5%), and Hive (10.1%).

Compared to the preceding quarter, only PYSA had a noticeable rise in activity, which was also noted in a report by the NCC Group that examined November 2021 data.

The most targeted region was North America, accounting for almost half of all attacks by the ransomware operations mentioned above. Europe followed with roughly 30%, leaving only 20% to the rest of the world.

The stats are rather balanced for targeted industries, and only the Consumer and Industrial products sector stands out, accounting for one out of four attacks. Manufacturing, professional services, and real estate also had substantial shares.

When looking at this from the perspective of trends, compared to Q3 2021 data, the manufacturing sector dropped while consumer and industrial products rose. In addition, life sciences and health care also had a significant rise.

This shift could be due to the seasonal interest for shopping during Christmas and Black Friday/Cyber Monday, which makes associated targets more lucrative.

Healthcare also obtains a more critical role as we move towards the end of the year, possibly due to the winter in the northern hemisphere bringing higher viral transmission rates.

Ransomware groups aim to disrupt the operations of firms at the worst possible time, to increase the chances of having a quick resolution in their negotiation for the payment of the demanded ransom.

For example, the FBI recently warned that ransomware gangs commonly target companies during mergers and acquisitions to further apply pressure during negotiations.

However, in many cases, the targeted companies are purely opportunistic in nature, where ransomware gangs simply attack whoever they can gain access to rather than based on any vertical or season.

Newly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks.

“This new malware erases user data and partition information from attached drives,” ESET Research Labs explained.

“ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.”

While designed to wipe data across Windows domains it’s deployed on, CaddyWiper will use the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted.

This is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices.

While analyzing the PE header of a malware sample discovered on the network of an undisclosed Ukrainian organization, it was also discovered that the malware was deployed in attacks the same day it was compiled.

“CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other malware known to us. The sample we analyzed was not digitally signed,” ESET added.

“Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target’s network beforehand.”

CaddyWiper is the fourth data wiper malware deployed in attacks in Ukraine since the start of 2022, with ESET Research Labs analysts previously discovering two others and Microsoft a third.

One day before the Russian invasion of Ukraine started, on February 23rd, ESET researchers spotted a data-wiping malware now known as HermeticWiper, used to target Ukraine together with ransomware decoys.

They also discovered a data wiper they dubbed IsaacWiper and a new worm named HermeticWizard the attackers used to drop HermeticWiper wiper payloads, deployed the day Russia invaded Ukraine.

Microsoft also found a wiper now tracked as WhisperGate, used in data-wiping attacks against Ukraine in mid-January, disguised as ransomware.

As Microsoft President and Vice-Chair Brad Smith said, these ongoing attacks with destructive malware against Ukrainian organizations “have been precisely targeted.”

This contrasts with the indiscriminate NotPetya worldwide malware assault that hit Ukraine and other countries in 2017, an attack later linked to Sandworm, a Russian GRU Main Intelligence Directorate hacking group.

Such destructive attacks are part of a “massive wave of hybrid warfare,” as the Ukrainian Security Service (SSU) described them right before the war started.