{
	"id": "7562d0e1-59ca-4fc2-a706-4d7b2ff02f71",
	"created_at": "2026-04-06T00:09:44.773844Z",
	"updated_at": "2026-04-10T13:12:59.052677Z",
	"deleted_at": null,
	"sha1_hash": "016a386448b0edd47d2bf91eaabbb45963318a1d",
	"title": "Netbooks, RPis, \u0026 Bash Bunny Gear - Attacking Banks from the Inside",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 673747,
	"plain_text": "Netbooks, RPis, \u0026 Bash Bunny Gear - Attacking Banks from the Inside\r\nBy Ionut Ilascu\r\nPublished: 2018-12-07 · Archived: 2026-04-02 10:59:08 UTC\r\nMultiple banks in Eastern Europe have been attacked from inside their network via various electronic devices connected\r\ndirectly to the company's own infrastructure, security researchers have discovered.\r\nWhere possible, the adversary made an effort to hide the entry point by planting the malicious devices in a way that did not\r\nattract attention. The losses created this way are estimated to tens of millions of dollars.\r\nDirect access to the local network\r\nDubbed DarkVishnya, the attacks targeted at least eight banks using readily-available gear such as netbooks or inexpensive\r\nlaptops, Raspberry Pi mini-computers, or a Bash Bunny - a USB-sized piece hardware for penetration testing purposes that\r\ncan pose as a keyboard, flash storage, network adapter, or as any serial device.\r\nhttps://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThey gained access to the local network from various places inside the victim's central or regional offices, and even from\r\ncompany branches in a different country.\r\nGiven their position, the devices could launch attacks that bypassed network defenses and could easily run reconnaissance\r\nroutines, which are the first step of a cyber attack once on the target infrastructure.\r\nSergey Golovanov from Kaspersky Lab says that the researchers discovered this attack method between 2017 and 2018\r\nwhile investigating cybertheft incidents.\r\n\"Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard,\" he\r\ndetails.\r\nTo control the rogue gear remotely, the attackers used a built-in or USB-powered GPRS/3G/LTE wireless modules.\r\nIn the second stage of the attack, the intruders scanned the digital premises in search of open resources such as shared\r\nfolders and web servers with public access.\r\nThe goal was to identify and collect valuable information like login credentials for systems used for making payments. To\r\nthis end, the threat actor tried to brute-force their way in or intercept traffic to extract login data.\r\nEvading firewall restrictions was possible through reverse TCP shells and the use of a different payload to create the\r\ncommunication tunnel. If all went well, the adversary would log into the target system and gain persistence.\r\nGolovanov says that the threat actor launched on the compromised system malicious services created with the MSFvenom\r\ntool from the Metasploit Framework.\r\nFileless attacks are difficult to spot\r\nThe success of these operations is owed to the fact that they did not rely on specific malware to achieve their goals but relied\r\non tools like PowerShell that could bypass whitelisting technologies and domain policies in most cases.\r\nAlthough widely abused by cybercriminals to run malicious scripts, PowerShell is a legitimate component that is typically\r\navailable on target machines.\r\nSome system administrators block PowerShell on network machines to minimize the attack surface. If this was the case, the\r\nDarkVishnya attacks would use the Impacket Python library, winexesvc.exe or psexec.exe for remote execution of\r\nprocesses.\r\nAll three are legitimate tools used by admin to run commands on remote machines and redirect the output on the local\r\nsystem. PsExec has been used maliciously since at least 2004 and it was used by NotPetya ransomware for lateral\r\nmovement.\r\nCrims take a page from pentesters' book\r\nThis method of compromise is not new. It has been used in attacks against banks as early as 2013, when a gang stole over\r\n£1.3 million from Barclays Bank by connecting a keyboard video mouse (KVM) switch with a 3G router to a computer in\r\nthe bank.\r\nPenetration testers also use this method to breach defenses of a target with strong protections against outside access. Bash\r\nBunny, for example, is specially built for this purpose as its form factor resembles a flash drive and once connected to a\r\ncomputer it can run scripts that give access to assets on the network.\r\nhttps://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/\r\nhttps://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/"
	],
	"report_names": [
		"netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside"
	],
	"threat_actors": [
		{
			"id": "81a7ab21-3aaa-4399-b1a7-77ce38130a77",
			"created_at": "2022-10-25T15:50:23.5229Z",
			"updated_at": "2026-04-10T02:00:05.326942Z",
			"deleted_at": null,
			"main_name": "DarkVishnya",
			"aliases": [
				"DarkVishnya"
			],
			"source_name": "MITRE:DarkVishnya",
			"tools": [
				"Winexe",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "76e65a03-eb20-4248-978a-c6be30fc118a",
			"created_at": "2023-01-06T13:46:38.844934Z",
			"updated_at": "2026-04-10T02:00:03.120025Z",
			"deleted_at": null,
			"main_name": "DarkVishnya",
			"aliases": [],
			"source_name": "MISPGALAXY:DarkVishnya",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434184,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/016a386448b0edd47d2bf91eaabbb45963318a1d.pdf",
		"text": "https://archive.orkl.eu/016a386448b0edd47d2bf91eaabbb45963318a1d.txt",
		"img": "https://archive.orkl.eu/016a386448b0edd47d2bf91eaabbb45963318a1d.jpg"
	}
}