According to a report from security outfit Group-IB, the attackers used a custom malware technique involving a bind mount to bury the malicious code deep inside the system. The ruse mimicked a rootkit by making the malware invisible to the underlying OS.

They never managed to hijack the ATM switching server, but the move marks a serious upgrade for cyber-physical bank hacking. Group-IB didn’t spill where this plot unfolded or how the Pi got physically installed. Still, the implications are clear: banks may need to start watching their hardware closets, not just their firewalls.

To keep the malware on life support, the hackers popped a mail server already plugged into the internet. The Raspberry Pi and the mail server chatted through the bank’s internal monitoring server, which had god-like access to nearly everything in the data centre. Group-IB first got wise when they noticed beacon signals flying out every 10 minutes and odd connections to a mystery device.

A forensic sweep caught the malware in the act and traced it back to a process named “lightdm”, which should be part of the LightDM display manager on Linux but it was lurking in the wrong place.

Group-IB’s Nam Le Phuong said the attackers went out of their way to make the backdoor look innocent.

“The backdoor process is deliberately obfuscated by the threat actor through the use of process masquerading,” he said.

The malware posed as the real LightDM with fake command-line arguments like lightdm --session child 11 19, aiming to slip past human eyes and automated scans alike.

The Raspberry Pi and the dodgy mail server kept whispering to each other, aided by the monitoring server in the middle, and all of it stayed under the radar thanks to the unusually sophisticated hiding tricks.