Group-IB Exposes How Hackers Use Linux Bind Mounts (MITRE T1564.013) to Hide ATM Attack
Hackers infiltrated a bank’s internal network by installing a Raspberry Pi mini-computer equipped with a 4G modem, enabling remote access to the ATM system in an attempt to steal funds. This was revealed by researchers at Group-IB, who noted that such a tactic allowed the attackers to completely bypass the bank’s perimeter defenses and stealthily penetrate its critical infrastructure.
The device was connected to the same network switch as the ATM system, effectively granting the attackers direct access to the bank’s internal network. The ultimate objective was to compromise the ATM switching server and seize control of the hardware security module — a specialized device responsible for storing cryptographic keys and performing encryption and signature operations.
Attribution points to the notorious cybercriminal group UNC2891, active since 2017, known for targeting banking infrastructures using custom malware tailored for Linux, Unix, and Solaris environments. Previously, Mandiant specialists documented how the group embedded itself within a bank’s network for years, deploying the CakeTap rootkit — a tool capable of intercepting messages within ATM systems to facilitate unauthorized cash withdrawals using counterfeit cards.
In this latest attack, the perpetrators employed another unconventional technique — disguising the malware using the bind mount mechanism, a tool commonly utilized in Linux system administration. This method allows one directory to be “bound” to another and was used here to conceal the presence of the malicious process, which masqueraded as a legitimate LightDM system component. The malware mimicked legitimate process parameters to mislead forensic analysts during the investigation.
In addition to the Raspberry Pi device, the group compromised the bank’s mail server — the only system maintaining a persistent internet connection. Both devices communicated via an intermediate monitoring server that had access to all other systems within the data center. Suspicious activity on this monitoring server — specifically, outbound connections every 10 minutes to an unknown device — tipped off the Group-IB researchers and prompted a deeper investigation.
Forensic analysis revealed that the malware’s concealment techniques were so effective that even advanced tools could not determine which process initiated the network connections. Only a memory dump analysis exposed the disguised process.
Experts have since contributed the bind mount technique to the MITRE ATT&CK framework, under ID T1564.013. Despite the attack’s sophistication, the malicious infrastructure was neutralized before the hackers could achieve their objective of deploying the CakeTap rootkit within the ATM network. Nevertheless, the incident serves as a stark illustration of how physical intrusion combined with advanced obfuscation techniques can circumvent even the most state-of-the-art security measures.
