In Search of Riches, Hackers Plant 4G-Enabled Raspberry Pi In Bank Network (arstechnica.com)

(Thursday July 31, 2025 @11:30PM (BeauHD) from the what-will-they-think-of-next dept.)

Hackers from the group UNC2891 attempted a high-tech bank heist by [1]physically planting a 4G-enabled Raspberry Pi inside a bank's ATM network , using advanced malware hidden with a never-before-seen [2]Linux bind mount technique to evade detection. "The trick allowed the malware to operate similarly to a rootkit, which uses advanced techniques to hide itself from the operating system it runs on," reports Ars Technica. Although the plot was uncovered before the hackers could hijack the ATM switching server, the tactic showcased a new level of sophistication in cyber-physical attacks on financial institutions. The security firm Group-IB, which [3]detailed the attack in a report on Wednesday , didn't say where the compromised switching equipment was located or how attackers managed to plant the Raspberry Pi. Ars Technica reports:

> To maintain persistence, UNC2891 also compromised a mail server because it had constant Internet connectivity. The Raspberry Pi and the mail server backdoor would then communicate by using the bank's monitoring server as an intermediary. The monitoring server was chosen because it had access to almost every server within the data center. As Group-IB was initially investigating the bank's network, researchers noticed some unusual behaviors on the monitoring server, including an outbound beaconing signal every 10 minutes and repeated connection attempts to an unknown device. The researchers then used a forensic tool to analyze the communications. The tool identified the endpoints as a Raspberry Pi and the mail server but was unable to identify the process names responsible for the beaconing.

>

> The researchers then captured the system memory as the beacons were sent. The review identified the process as lightdm, a process associated with an open source LightDM display manager. The process appeared to be legitimate, but the researchers found it suspicious because the LightDM binary was installed in an unusual location. After further investigation, the researchers discovered that the processes of the custom backdoor had been deliberately disguised in an attempt to throw researchers off the scent.

>

> [Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong] explained: "The backdoor process is deliberately obfuscated by the threat actor through the use of process masquerading. Specifically, the binary is named "lightdm", mimicking the legitimate LightDM display manager commonly found on Linux systems. To enhance the deception, the process is executed with command-line arguments resembling legitimate parameters -- for example, lightdm -- session child 11 19 -- in an effort to evade detection and mislead forensic analysts during post-compromise investigations. These backdoors were actively establishing connections to both the Raspberry Pi and the internal Mail Server."

[1] https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-4g-enabled-raspberry-pi-in-bank-network/

[2] https://unix.stackexchange.com/questions/198590/what-is-a-bind-mount

[3] https://www.group-ib.com/blog/unc2891-bank-heist/

display manager on an server why pick something th (Score:2)

by Joe_Dragon ( 2206452 )

display manager on an server why pick something that will stand out like that.

How did they plant (Score:2)

by stabiesoft ( 733417 )

The article glosses over the elephant in the room. How did the hackers get physical access to the bank to plant the pi. And the other thing that would scream to me was the output of their forensic tool which looks to me like the output of netstat basically shows a raspberry_pi host. I'd be WTF, why is there a pi on our internal network? Not why is lightdm sending a packet on the pi.

Re: (Score:2)

by Moryath ( 553296 )

The Raspberry Pi was connected to the same network switch used by the bank’s ATM system...

Probably simple social engineering. Show up in an outfit that looks like you're an electrician or something else... or just pay a bank employee to let them in and look the other way...

mystery process image is privacy-edited (Score:2)

by bjamesv ( 1528503 )

> ... And the other thing that would scream to me was the output of their forensic tool which looks to me like the output of netstat basically shows a raspberry_pi host. I'd be WTF, why is there a pi on our internal network? Not why is lightdm sending a packet on the pi.

lol thing that screams at me is that 'forensic tool' image has obviously had the IPs removed for privacy. "[redacted]", "[raspberry_pi]", and "[mail_server]" all are clearly placeholders put in for publication are not 3x actual hostnames the researchers found on the bank network.

I am disappointed. (Score:3)

by ndsurvivor ( 891239 )

Back in the day, I was taught in electronics, and software, to make it easy to use... and reliable. Now I am disappointed at how average people use it.

"Disappointed" means feeling sad, discouraged, or let down because something didn't happen as expected or hoped for. It can also refer to being inadequately equipped or appointed. The word originates from the French "desappointer," meaning to fail to keep an appointment, according to Vocabulary.com.

Seems like the script kitties and hackers have no appreciation for how hard people worked so they can get their nut off. They don't even have to learn how a transistor works, nor what a for loop is, they just buy shit off of the Tor network, and abuse other people.