A recent cyber-heist has targeted multiple banking institutions’ ATM infrastructure using a combination of physical infiltration, low-level Linux malware, and sophisticated forensic evasion techniques. The threat actor, identified as UNC2891, exploited weaknesses in bootloader integrity to bypass traditional endpoint security and network monitoring systems.
The attack involved physical access to the ATMs, followed by the injection of a custom GRUB2 bootloader using a USB device. This allowed the attackers to boot a modified Linux image, gaining full kernel control. The malware also hijacked ATM processes without modifying them on disk, utilizing LD_PRELOAD techniques and shared object injection.
The threat actor deployed Loadable Kernel Modules (LKMs) to hook system calls and hide their processes, files, and network traffic. Persistence was achieved via custom systemd services and GRUB modifications, while forensic tools were neutralized using hijacked binaries, custom logging suppressors, and execution in memory using tmpfs.
Despite its stealth, the operation left behind subtle indicators, including periodic beaconing to a Raspberry Pi device on port 929. The attackers also used masquerading binaries to evade detection, maintaining active connections to an internal Mail Server as a persistent C2 relay.
The attack demonstrates that cybercriminals are increasingly blending physical access, kernel-level malware, and advanced anti-forensics to stay undetected even in highly regulated industries like banking. Traditional detection methods failed due to the attackers’ operation below the radar – in memory, in hardware, and outside the expected process trees.
To defend against attacks like this, Linux EDR/Forensics should be monitored for mount and umount syscalls, alerting on /proc/[pid] mounted to tmpfs or strange filesystems. Block execution of binaries from /tmp, .snapd, or mounted USBs, segment ATM networks from monitoring infrastructure, and monitor for beaconing to unknown local IPs or odd ports.
The incident highlights the need for improved security measures, including always collecting memory dumps in addition to disk images, using custom scripts to capture real-time socket/PID associations, and treating system processes outside expected paths as suspicious.
Source: https://www.securitynewspaper.com/2025/07/30/backdooring-atms-via-bootloader-these-hackers-showed-its-still-possible-in-2025