UNC2891: Inside the ATM Fraud Money Mule Network

Cybersecurity experts have revealed the extensive operations of a sophisticated criminal ring known as UNC2891, which executed a series of ATM fraud attacks targeting financial institutions in Indonesia over several years. This group’s activities went far beyond initial system breaches, incorporating a well-organized money mule recruitment network that used online platforms to enlist individuals for cash withdrawals.

In addition to the previously identified infiltration method involving Raspberry Pi devices, recent analysis by Group-IB shows UNC2891 ran a broader scheme. This included distributing cloned bank cards and managing coordinated cash collection teams. The threat actors carried out three distinct assaults: one against Bank A in February 2022, another against Bank B in November 2023, and a repeat attack on Bank A in July 2024. Investigators confirmed these incidents were linked by the consistent use of a custom malware packing tool named STEELCORGI.

The criminals established an elaborate system for moving stolen funds. They placed advertisements on Google and shared recruitment messages in Telegram channels to find money mules. After identifying candidates, UNC2891 operatives mailed them specialized card cloning equipment. The mules then visited ATMs to withdraw cash, receiving real-time instructions through TeamViewer remote access software or direct phone communication with their handlers.

A key component of their scheme was CAKETAP, an advanced rootkit capable of manipulating ATM transaction verification. This malware intercepted and replaced legitimate PIN confirmation messages, effectively bypassing security checks. It also altered cryptographic responses from Hardware Security Modules, allowing fraudsters to use counterfeit cards without triggering alarms.

To maintain long-term access, UNC2891 deployed multiple custom backdoors across dozens of compromised systems. TINYSHELL established hidden connections to command servers using dynamic DNS, while SLAPSTICK harvested login credentials through compromised authentication libraries. The SUN4ME toolkit performed network reconnaissance, creating detailed maps of institutional infrastructure. The group ensured operational continuity through diverse communication methods including DNS tunneling, OpenVPN, and encrypted HTTPS channels.

The threat actors employed sophisticated anti-forensics measures to conceal their activities. They utilized LOGBLEACH and MIGLOGCLEANER utilities to erase digital footprints from system logs. Additionally, they configured initiation scripts and systemd services to guarantee their backdoors would automatically reactivate following system reboots. Many malicious components were disguised with ordinary filenames and hidden using techniques like /proc filesystem mounting, making detection significantly more challenging.

Security analysts established connections between the separate attacks by identifying matching cryptographic keys embedded within the STEELCORGI packing tool. During just the February 2022 incident, UNC2891 successfully compromised more than thirty systems at Bank A, demonstrating their ability to maintain persistent access within targeted organizations.

Industry professionals caution against underestimating ATM security threats. “The apparent decline of ATM-focused cybercrime in recent years has led many defenders to deprioritize this attack surface – in budgets, audits, and threat models. That would be a dangerous mistake,” warned Group-IB researchers. They emphasized that “UNC2891 is proof that ATM threats did not disappear – they simply evolved. Their resurgence, now enhanced by physical access vectors and deeply embedded tooling, suggests a new chapter in financial intrusions.”

(Source: Info Security)