Description of Campaign
The UNC2891 threat group was discovered using private malware, utilities, and scripts to carry out attacks against the financial sector.
The actor uses the CAKETAP rootkit to breach a victim's Automatic Teller Machine switching network and perform unauthorized cash withdrawals.
UNC2891 also makes extensive use of multiple backdoors to maintain persistence and steal credentials.
Our ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Mandiant and
shared publicly.
How to use this article:
- If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
- Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
- Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
- Review KB91836 - Countermeasures for entry vector threats.
- Review KB87843 - Dynamic Application Containment rules and best practices.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.
Threat Hunting
| YARA |
rule TINYSHELL
{
meta:
author = "Mandiant "
strings:
$sb1 = { C6 00 48 C6 4? ?? 49 C6 4? ?? 49 C6 4? ?? 4C C6 4? ?? 53 C6 4? ?? 45 C6 4? ?? 54 C6 4? ?? 3D C6 4? ?? 46 C6 4? ?? 00 }
$sb2 = { C6 00 54 C6 4? ?? 4D C6 4? ?? 45 C6 4? ?? 3D C6 4? ?? 52 }
$ss1 = "fork" ascii fullword wide
$ss2 = "socket" ascii fullword wide
$ss3 = "bind" ascii fullword wide
$ss4 = "listen" ascii fullword wide
$ss5 = "accept" ascii fullword wide
$ss6 = "alarm" ascii fullword wide
$ss7 = "shutdown" ascii fullword wide
$ss8 = "creat" ascii fullword wide
$ss9 = "write" ascii fullword wide
$ss10 = "open" ascii fullword wide
$ss11 = "read" ascii fullword wide
$ss12 = "execl" ascii fullword wide
$ss13 = "gethostbyname" ascii fullword wide
$ss14 = "connect" ascii fullword wide
condition:
uint32(0) == 0x464c457f and 1 of ($sb*) and 10 of ($ss*)
} |
| YARA |
rule TINYSHELL_SPARC
{
meta:
author = "Mandiant"
strings:
$sb_xor_1 = { DA 0A 80 0C 82 18 40 0D C2 2A 00 0B 96 02 E0 01 98 03 20 01 82 1B 20 04 80 A0 00 01 82 60 20 00 98 0B 00 01 C2 4A 00 0B 80 A0 60 00 32 BF FF F5 C2 0A 00 0B 81 C3 E0 08 }
$sb_xor_2 = { C6 4A 00 00 80 A0 E0 00 02 40 00 0B C8 0A 00 00 85 38 60 00 C4 09 40 02 84 18 80 04 C4 2A 00 00 82 00 60 01 80 A0 60 04 83 64 60 00 10 6F FF F5 90 02 20 01 81 C3 E0 08 }
condition:
uint32(0) == 0x464C457F and (uint16(0x10) & 0x0200 == 0x0200) and (uint16(0x12) & 0x0200 == 0x0200) and 1 of them
} |
| YARA |
rule SLAPSTICK
{
meta:
author = "Mandiant "
strings:
$ss1 = "%Y %b %d %H:%M:%S \x00"
$ss2 = "%-23s %-23s %-23s\x00"
$ss3 = "%-23s %-23s %-23s %-23s %-23s %s\x0a\x00"
condition:
(uint32(0) == 0x464c457f) and all of them
} |
| YARA |
rule STEELCORGI
{
meta:
author = "Mandiant "
strings:
$s1 = "\x00\xff/\xffp\xffr\xffo\xffc\xff/\xffs\xffe\xffl\xfff\xff/\xffe\xffx\xffe\x00"
$s2 = "\x00\xff/\xffv\xffa\xffr\xff/\xffl\xffi\xffb\xff/\xffd\xffb\xffu\xffs\xff/\xffm\xffa\xffc\xffh\xffi\xffn\xffe\xff-\xffi\xffd\x00"
$sb1 = { FE 1B 7A DE 23 D1 E9 A1 1D 7F 9E C1 FD A4 }
$sb2 = { 3B 8D 4F 45 7C 4F 6A 6C D8 2F 1F B2 19 C4 45 6A 6A }
condition:
(uint32(0) == 0x464c457f) and all of them
} |
This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check Trellix Insights for the latest IOCs.
Campaign IOC
| Type |
Value |
| SHA256 |
7D587A5F6F36A74DCFBCBAECB2B0547FDF1ECDB034341F4CC7AE489F5B57A11D |
Minimum Content Versions
| Content Type |
Version |
| V2 DAT (VirusScan Enterprise) |
9804 |
| V3 DAT (Endpoint Security) |
4257 |
Detection Summary
| IOC |
Scanner |
Detection |
| 7D587A5F6F36A74DCFBCBAECB2B0547FDF1ECDB034341F4CC7AE489F5B57A11D |
AVEngine V2 |
LINUX/Agent.t |
| AVEngine V3 |
LINUX/Agent.t |
| JTI (ATP Rules) |
- |
| RP Static |
- |
| RP Dynamic |
- |
