UNC2891 Hackers Using Cloned Cards and Raspberry Pi to Steal Cash from ATMs

A shadowy cybercrime group identified as UNC2891 has orchestrated a years-long campaign draining cash from ATMs at Southeast Asian banks, leveraging a blend of digital hacking and hands-on hardware tampering.

Recent analysis from Group-IB reveals that this sophisticated operation has compromised dozens of financial institutions since 2017, spotlighting urgent gaps in both physical and digital security measures.

Ingenious Hardware Infiltration

UNC2891’s innovation lies not just in malware, but in how they fuse physical access with cyber tools.

Investigators discovered that the group physically installed Raspberry Pi computers, credit-card-sized devices known for their versatility and affordability, directly inside bank networks, often near ATM transaction switches.

Equipped with 4G modems, these covert gateways provided hackers with real-time, undetected backdoor access, effectively bypassing banks’ traditional perimeter defenses.

This bold tactic underscores a crucial lesson: in the cybercrime landscape, physical access remains just as critical as digital hygiene.

The smallest, simplest devices can open the gates to multimillion-dollar thefts if they slip past physical security checks.

UNC2891 couples its physical exploits with deep expertise in Linux and Unix environments. Researchers traced at least six custom malware families, including CAKETAP, SLAPSTICK, and TINYSHELL.

These tools allow attackers to monitor, intercept, and manipulate ATM transaction flows on the fly, all while evading detection.

Their operational security is formidable, leveraging anti-forensics measures like Linux bind mount abuse to avoid leaving traces and enable stealthy lateral movement within compromised bank systems.

Remarkably, these efforts appear to have allowed UNC2891 to remain undetected for as long as seven years, an eternity in cybersecurity terms.

Beyond digital compromise, UNC2891’s blueprint incorporates a full-scale money-mule network. The group recruits intermediaries via Telegram and even Google Ads, directing them to specific ATMs and supplying cloned cards.

These mules physically withdraw stolen funds, completing a criminal circuit that functions as a modern cybercrime ecosystem rather than an isolated hacking incident.

CVE-ID	Malware Family	Affected Platform	Impact	CVSS Score	Exploit Prerequisites
CVE-2019-10649	TINYSHELL	Linux/Unix	Remote Code Execution	8.8	Network access, credentials
CVE-2021-3156	CAKETAP	Linux/Unix	Privilege Escalation	7.8	Shell access
CVE-2021-4034	SLAPSTICK	Linux (Polkit)	Local Privilege Escalation	7.8	Local user on system

ATM networks are increasingly targeted as “weakest links” in banking security. The UNC2891 case highlights that overlooked physical vulnerabilities easily undermine substantial investments in digital security.

Rigorous physical asset monitoring and a multilayered defense strategy that addresses both network and hardware security are essential to counter hybrid threats posed by groups like UNC2891.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post UNC2891 Hackers Using Cloned Cards and Raspberry Pi to Steal Cash from ATMs appeared first on Cyber Security News.