Cybersecurity firm Mandiant has detailed an extensive ATM cash-out and money laundering operation conducted by the threat actor group tracked as UNC2891. The investigation revealed a full-scope fraud scheme that combines custom malware with a complex network of money mules to steal funds directly from financial institutions.

CACHEMONEY Malware and ATM Jackpotting

At the core of UNC2891’s technical operation is a piece of malware known as CACHEMONEY. This malware is deployed onto the ATM networks of targeted financial organizations. Once installed, CACHEMONEY is used to execute ATM jackpotting attacks, a technique that forces cash-dispensing machines to dispense their stored currency on command. This allows operatives to physically collect large sums of cash from compromised ATMs.

The Money Mule Recruitment Network

A critical component of the UNC2891 operation is its management of a vast network of money mules. These individuals are responsible for collecting the cash dispensed during jackpotting attacks. Mandiant’s investigation found that UNC2891 recruits these mules through advertisements for fake jobs posted on social media. The recruitment process is managed by a persona acting as a hiring manager, who collects personally identifiable information (PII) from applicants, including photos of their IDs and social security numbers. Communication and instructions for cash pick-ups are then handled through encrypted messaging applications.

Investigators also noted overlaps between UNC2891 and another financially motivated threat cluster, FIN11, relating to malware code and infrastructure. However, the evidence was not sufficient to attribute the activity to a single, unified group.