FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor

Pierluigi Paganini June 12, 2019

After two years of silence, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry employing the ShellTea/PunchBuggy backdoor.

Two years later after the last report, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry using an improved version of the ShellTea/PunchBuggy backdoor.

The last time security experts documented the FIN8’s activities was in 2016 and 2017. At the time, FireEye and root9B published detailed reports about a series of attacks targeting the retail sector.

FireEye documented obfuscation techniques used by the group in June 2017 and the involvement of PUNCHTRACK POS-scraping malware.

The ShellTea backdoor was analyzed by researchers Root9b in June 2017, the malware was used by threat actors to deliver the PoC malware.

Now experts at Morphisec revealed to have observed a new campaign attributed to the FIN8 group that targeted entities in the hotel-entertainment industry.

“During the period of March to May 2019, Morphisec Labs observed a new, highly sophisticated variant of the ShellTea / PunchBuggy backdoor malware that attempted to infiltrate a number of machines within the network of a customer in the hotel-entertainment industry.” reads the analysis published by Morphisec. “It is believed that the malware was deployed as a result of several phishing attempts.”

Experts believe the attackers launched phishing attacks in the attempt of delivering PoS malware.

Researchers also gathered evidence of overlap between FIN8 and FIN7 attacks, even if the two groups are considered separated.

“Given the nature of the industry targeted in the attack uncovered by Morphisec, we assume that this was also an attempted POS attack.” continues the analysis. “In this report, we investigate this latest variant of ShellTea, together with the artifacts it downloaded after the Morphisec Labs team detonated a sample in a safe environment.”

The attack chain starts with a fileless dropper using PowerShell code executed from registry keys and leading to ShellTea.

The ShellTea attempt to evade detection by checking the presence of virtualized environments and standard analysis tools. The malicious code uses a hacking algorithm for most of its functions, the algorithm is similar to the one implemented for previous ShellTea version.

ShellTea is then injected into Explorer, it communicates with the C2 over HTTPs and supports various commands, such as loading and executing a delivered executable, creating/executing processes, executing any PowerShell command using downloaded native Empire ReflectivePicker, and of course downloading and executing a POS malware.

Attackers use the PowerShell script to collect information on the user and the network, then sends Gzipped data to the C2 and delete it.

Experts pointed out that attackers are constantly innovating their arsenal, their new techniques are able to easily evade standard POS defenses.

“The hospitality industry, and particularly their POS networks, continues to be one of the industries most targeted by cybercrime groups. In addition to this attack by FIN8,we’ve seen multiple attacks by FIN6FIN7 and others.” concludes Morphisec.

Many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities. What’s more, attackers know that many POS systems run with only rudimentary security as traditional antivirus is too heavy and requires constant updating that can interfere with system availability.” ” As we see here, attack syndicates are constantly innovating and learn from their mistakes – the numerous improvements and bug fixes from the previous version of ShellTea are evident. The techniques implemented can easily evade standard POS defenses. “

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – FIN8, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment