Security News > 2022 > March > New Unix rootkit used to steal ATM banking data

Threat analysts following the activity of LightBasin, a financially motivated group of hackers, report the discovery of a previously unknown Unix rootkit that is used to steal ATM banking data and conduct fraudulent transactions.

In a new report by Mandiant, researchers present further evidence of LightBasin activity, focusing on bank card fraud and the compromise of crucial systems.

LightBasin's new rootkit is a Unix kernel module named "Caketap" that is deployed on servers running the Oracle Solaris operating system.

The ultimate goal of Caketap is to intercept banking card and PIN verification data from breached ATM switch servers and then use the stolen data to facilitate unauthorized transactions.

The messages intercepted by Caketap are destined for the Payment Hardware Security Module, a tamper-resistant hardware device used in the banking industry for generating, managing, and validating cryptographic keys for PINs, magnetic stripes, and EMV chips.

Caketap manipulates the card verification messages to disrupt the process, stops those that match fraudulent bank cards, and generates a valid response instead. In a second phase, it saves valid messages that match non-fraudulent PANs internally and sends them to the HSM so that routine customer transactions aren't affected and the implant operations remain stealthy.

News URL

https://www.bleepingcomputer.com/news/security/new-unix-rootkit-used-to-steal-atm-banking-data/