Saturday, October 12, 2024
HomeComputer SecurityFIN8 Hacker Group using Highly Sophisticated ShellTea Malware to Attack Hospitality Sector

FIN8 Hacker Group using Highly Sophisticated ShellTea Malware to Attack Hospitality Sector

Published on

Malware protection

FIN8 hacker group is back with a new highly sophisticated variant of the ShellTea malware and carried out attacks against hotel and entertainment industry. This would be the first attack by FIN8 hacker group in 2019, and it is believed that malware was deployed as a result of a phishing attack.

Researchers from Morphisec Labs observed a new campaign between March to May 2019, and it “attempted to infiltrate machines several machines within the network of a customer in the hotel-entertainment industry.”

ShellTea Malware Attack

The attack starts with a fileless dropper that infiltrates and persists through the registry, the attack executed by abusing PowerShell wildcard mechanism to load ShellTea malware. This is an attempt to evade detection while propagating to the next stages of execution.

- Advertisement - SIEM as a Service

“To operate and evade standard analysis tools, most of the functions are hashed. The hashing algorithm has a high degree of similarity to the previous ShellTea version, with a slight modification of the seeds and constants,” reads the Morphisec analysis report.

ShellTea looks for explorer.exe process in multiple ways to find the process id of the current desktop window. Once it locates the process id it uses standard functions to write within the memory of explorer.

The malware also implies a number of anti-debugging or anti-monitoring techniques to check that it is not running in a virtual machine or not being monitored with any inspection tools.

According to researchers following are the list of the process it searched for

WINDBG.EXE, WIRESHARK.EXE, PROCEXP.EXE, PROCMON.EXE, TCPVIEW.EXE, 
OLLYDBG.EXE, IDAG.EXE, IDAG64.EXE, DUMPCAP.EXE, FILEMON.EXE, IDAQ64.EXE, IDAQ.EXE,
IMMUNITYDEBUGGER.EXE, PETOOLS.EXE, REGMON.EXE, SYSER.EXE, TCPDUMP.EXE,
WINDUMP.EXE, APIMONITOR.EXE, APISPY32.EXE, IRIS.EXE, NETSNIFFER.EXE,
WINAPIOVERRIDE32.EXE, WINSPY.EXE

After bypassing the sandboxes, the shellcode executes a persistency module then ” it decrypts the PowerShell base64 command, then decrypts the CMD command for persistence.”

Communication with the C2 server carried out through HTTPS; if the communication with the C2 server fails, it will try to execute the proxy aware API to establish a connection.

The PowerShell script capable of collecting all possible information on the user and the network, including snapshots, computer and user names, emails from the registry, tasks in task scheduler, system information, AVs registered in the system, privileges, domain and workgroup information.

The hospitality industry, and particularly their POS networks, now becoming a prime target for cybercrime group. Researchers assume the attack by FIN6 group also an attempted POS attack.

Indicators of Compromise

SHELLTEA BACKDOOR:

6353D7B18EE795969659C2372CD57C3D
4B9EFD882C49EF7525370FFB5197AD86

REFLECTIVEPICKER:

DC162908E580762F17175BE8CCA25CF3

PowerShell recon script:

4BEB10043D5A1FBD089AA53BC35C58CA

DOMAINS:

telemerty-cdn-cloud[.]host
cdn-amaznet.club
reservecdn[.]pro
wsuswin10[.]us
telemetry[.]host

IPs:

104.193.252[.]162:443
37.1.204[.]87:443

Also Read

Hackers Increasing the use of “Command Line Evasion and Obfuscation” to Spread Advance Level Threats

Fin7 Cybercrime Group Hacked Burgerville and Stolen Payment Card Details

Three Members of Fin7 Hacker Group Charged With Stealing 15 Million Payment Cards

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...