9/4/2023 0 Comments Malwarebytes rootkit![]() ![]() CAKETAP sends this stored verification message to the HSM to trick it into allowing a fraudulent transaction by sending the stored message. On the other hand, when a regular ATM user uses a valid card on an affected ATM, CAKETAP stores the verification message from a valid transaction, which essentially says that the card is not fraudulent, and forwards it to the HSM, allowing for routine transactions to continue uninterrupted. This, in turn, creates a valid response from the HSM. When threat actors use a fraudulent card on an affected ATM, CAKETAP alters card verification messages to disable card verification. Banks use this tamper- and intrusion-proof hardware component to generate, manage, and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. This rootkit can conduct fraudulent bank transactions by intercepting specific messages-card and PIN verification messages-sent to the ATM system's Payment Hardware Security Module (HSM). It removes itself from a list of loaded modules on execution and updates data in the last_module_idfunction to reflect data from a previously loaded module. It hides network connections, processes, and files. This rootkit is a Unix kernel module that performs several malicious tasks to aid attackers-Mandiant tracks it as UNC2891 (aka LightBasin)-in conducting fraudulent ATM transactions.ĬAKETAP has an impressive list of stealth capabilities to hide its presence and activities. Recently, a new rootkit, which the Mandiant Advanced Practices team have named CAKETAP, was found targeting Oracle Solaris systems running on ATM switch servers. ![]() Malware can be plantedat the ATM's PC or its network, or attackers could launch a Man-in-the-Middle (MiTM)attack. It's not unusual to hear about malware created to affect automated teller machines (ATMs). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |