CAKETAP

CAKETAP is a kernel module rootkit associated with the financially motivated threat cluster UNC2891. It has been described on Oracle Solaris and Solaris/Linux server infrastructure, including intended deployment on ATM switching servers. Its core stealth capabilities include hiding network connections, processes, and files. Mandiant reported that on Solaris it removes itself from the loaded modules list during initialization, updates last_module_id to conceal its presence, hooks ipcl_get_next_conn and multiple ip-module functions to filter connections for actor-configured IPs or ports, and hooks mkdirat and getdents64 to receive commands and hide files or directories containing secret signal strings. Observed CAKETAP signal strings include .caahGss187 for the mkdirat hook and .zaahGss187 for the getdents64 hook. A CAKETAP variant observed on an ATM switch server was designed to intercept and spoof card and PIN verification messages sent to a payment hardware security module (HSM), manipulate HSM responses, and spoof authorization messages to enable unauthorized transactions and fraudulent ATM cash withdrawals using fraudulent bank cards. Group-IB reported UNC2891’s objective in a 2024 bank intrusion in Indonesia was to deploy CAKETAP on the ATM switching server after gaining access via a physically implanted Raspberry Pi with a 4G modem and TINYSHELL backdoor; defenders disrupted the intrusion before that final objective was achieved.