UNC2891 Bank Heist Physical ATM Backdoor & Linux Forensic Evasion Evasion
Key Takeaways From This Blog
- Initial access can be physical and extremely low-profile, evading most traditional defenses.
- Memory and network forensics were the only effective techniques in detecting the backdoor.
- An unpublished anti-forensics tactic, now cataloged in MITRE ATT&CK as T1564.013 (Linux bind mount abuse), played a central role in the campaign’s stealth.
- Threat actors used custom malware suites to infiltrate and maintain persistence on ATM switching systems.
This post is licensed under CC BY 4.0 by the author.