UNC2891: Hackers Use 4G Raspberry Pi in Bank Network

In late July 2025, researchers at Group-IB uncovered a sophisticated intrusion in an unnamed financial institution’s network. Attackers from the UNC2891 threat group used unconventional hardware, custom malware, and advanced concealment methods to attempt unauthorized control over the bank’s ATM infrastructure.

Overview of the Incident

Group-IB security analysts disclosed that the threat actors physically planted a Raspberry Pi 4 Model B—featuring 4 GB of LPDDR4 RAM—directly into an internal network switch in the ATM VLAN. Equipped with a Quectel EC25-AU 4G LTE Cat-4 modem, this device bypassed perimeter firewalls and network access control, appearing as a legitimate node within the bank’s segmented environment.

• Hardware specs: Raspberry Pi 4 Model B with 4 GB LPDDR4 SDRAM and microSD storage.
• 4G Modem: Quectel EC25-AU module, LTE FDD Bands 1/3/5/7/8/20, fallback to 3G/2G.
• Network access: DHCP-assigned IP address on the ATM subnet, 802.1Q VLAN tagging.

Advanced Malware and Stealth Techniques

The attackers deployed a Linux-based backdoor masquerading as the LightDM display manager. Using a bind mount technique (MITRE ATT&CK T1564.013), they hid custom binaries and intercepted filesystem calls to evade file integrity monitoring (FIM) and forensic tools.

Technical Deep Dive: Linux Bind Mount Rootkit

1. Create a hidden directory (e.g., /opt/.ldm) and place the malicious binary there.
2. Mount the rogue executable over the legitimate binary: mount --bind /opt/.ldm/lightdm /usr/bin/lightdm.
3. Modify ld.so.preload to hook open() and read() syscalls, filtering out references to hidden paths.

This approach conceals process names and file hashes, effectively creating a rootkit-like environment that standard monitoring solutions cannot detect.

Command-and-Control Architecture

UNC2891 established a dual-channel C2 framework:

• Raspberry Pi C2: HTTPS beacons over 4G every 10 minutes, using self-signed TLS certificates.
• Mail Server Backdoor: Outbound SMTP over port 587 with custom X-headers carrying encrypted data.
• Pivot: A network monitoring server with unrestricted access within the data center, relaying traffic between the Pi and the mail server.

Initial triage tools recorded recurring outbound connections but no associated process IDs. Only memory dumps analyzed with Volatility exposed the disguised lightdm process handling the network sockets.

Deeper Analysis: ATM Switching Network Vulnerabilities

ATM switching servers typically run hardened Linux or Solaris kernels and interface with hardware security modules (HSMs) for cryptographic operations. UNC2891 aimed to intercept HSM commands—such as GEN_RND and DEC_PIN—to fabricate valid PIN blocks and EMV cryptograms, facilitating unauthorized withdrawals without triggering fraud alerts.

Deeper Analysis: Mitigation and Defense-in-Depth

Industry experts recommend a multi-layered defense strategy:

1. Physical security: Deploy CCTV, port locks, and badge-based authentication for critical network closets.
2. Network microsegmentation: Enforce zero-trust policies and Next-Generation Firewalls (NGFWs) between ATM VLANs and corporate networks.
3. Host-based monitoring: Use kernel-level auditing (e.g., AuditD) and immutable file checks for key binaries like /usr/bin/lightdm.
4. Behavioral analytics: Implement User and Entity Behavior Analytics (UEBA) to detect anomalous TLS and SMTP traffic spikes.

Expert Opinion

“This case underscores the convergence of physical intrusion techniques with advanced malware,” says Dr. Elena Ramirez, Senior Researcher at MITRE. “Organizations must integrate physical security controls with cyber defenses to defend against supply-chain–style breaches within their internal networks.”

Conclusion

Although Group-IB thwarted UNC2891 before the deployment of the CakeTap rootkit on the ATM switch, this incident reveals a growing trend: threat actors blending IoT hardware abuse with sophisticated rootkit techniques. Financial institutions must continuously enhance monitoring, enforce strict access controls, and conduct regular forensic assessments to safeguard their critical infrastructure.