Threat Research

Have Your Cake and Eat it Too? An Overview of UNC2891

Securonix

UNC2891 uses in-memory droppers like STEELCORGI and STEELHOUND to decrypt or encrypt payloads via environment-keying, and operates a broad Unix/Linux toolkit (SUN4ME) for recon, enumeration, and exploitation. The group also deployed Linux/Unix keyloggers (WINGHOOK/WINGCRACK), and a Solaris kernel rootkit (CAKETAP) with capabilities to hide activity and even enable unauthorized ATM cash withdrawals, supported by a large set of utilities and YARA rules. #UNC2891 #STEELCORGI #SUN4ME #STEELHOUND #WINGHOOK #WINGCRACK #CAKETAP #ATMfraud

Keypoints

    <liUNC2891 uses STEELCORGI, an in-memory dropper, that decrypts embedded payloads by deriving a ChaCha20 key from a runtime environment variable.

    <liA related STEELHOUND dropper relies on RC4 encryption and can encrypt new payloads to disk along with a copy of itself and a config.

    <liA Linux/Unix keylogger family is identified: WINGHOOK records input, stores encoded data in /var/tmp/.zmanDw, and WINGCRACK decodes and displays those keylogs.

    <liUNC2891 leverages a set of utilities (BINBASH, WIPERIGHT, MIGLOGCLEANER) for privilege escalation, log wiping, and log cleanup on Linux/Unix.

    <liCAKETAP is a Solaris kernel module rootkit that hides network connections, processes, and files, with hooks in ipcl_get_next_conn and other network-related calls.

    <liA variant of CAKETAP is implicated in unauthorized ATM transactions, manipulating card/PIN verification messages to enable fraudulent cash withdrawals.

MITRE Techniques

  • [T1480.001] Environmental Keying – “derive a ChaCha20 key from the value of an environment variable obtained at runtime.”
  • [T1027] Obfuscated Files or Information – “decrypts its embedded payloads” and was capable of “encrypting new payloads by encrypting a target binary”.
  • [T1059] Command and Scripting Interpreter – presence of shell-based utilities and Unix shell usage implied by the tools (e.g., BINBASH executes a shell after setting IDs).
  • [T1548.001] Setuid and Setgid – BINBASH “executes a shell after setting the group ID and user ID to either ‘root’ or specified values.”
  • [T1014] Rootkit – CAKETAP described as a kernel module rootkit for Solaris that hides components and filters connections.
  • [T1070] Indicator Removal on Host – WIPERIGHT clears specific log entries on Linux/Unix systems (log wiping).
  • [T1027] Obfuscated Files or Information (listed again for payload obfuscation context) – STEELCORGI/STEELHOUND use encryption for payloads.
  • [T1543.002] Systemd Service – Persistence mechanism observed in named context.
  • [T1547.006] Kernel Modules and Extensions – Kernel-level rootkit persistence via CAKETAP.
  • [T1021.004] SSH – Lateral movement using SSH (Remote Services).

Indicators of Compromise

  • [Hash] STEELCORGI – MD5: e5791e4d2b479ff1dfee983ca6221a53, SHA1: e55514b83135c5804786fa6056c88988ea70e360, SHA256: 95964d669250f0ed161409b93f7a131bfa03ea302575d555d91ab5869391c278
  • [Hash] STEELHOUND – MD5: a4617c9a4bde94e867f063c28d763766, SHA1: 097d3a15510c48cdb738344bdf00082e546827e8, SHA256: 161a2832baba6ff6f9f1b52ed8facfa1197cfc7947fe58152b3617a258cf52b0
  • [Hash] TINYSHELL – MD5: 4ff6647c44b0417c80974b806b1fbcc3, SHA1: fa36f10407ed5a6858bd1475d88dd35927492f52, SHA256: 55397addbea8e5efb8e6493f3bd1e99f9742ff4cfe0f0d3da7e92067904b5194
  • [Hash] TINYSHELL – MD5: 13f6601567523e6a37f131ef2ac4390b, SHA1: 4228d71c042d08840089895bfa6bd594b5299a89, SHA256: 24f459a2752175449939037d6a1da09cac0e414020ce9c48bcef47ec96e3587b
  • [Hash] STEELHOUND – MD5: a4617c9a4bde94e867f063c28d763766, SHA1: 097d3a15510c48cdb738344bdf00082e546827e8, SHA256: 161a2832baba6ff6f9f1b52ed8facfa1197cfc7947fe58152b3617a258cf52b0

Read more: https://www.mandiant.com/resources/unc2891-overview