FIN8 Hacker Group using Highly Sophisticated ShellTea Malware to Attack Hospitality Sector

FIN8 hacker group is back with a new highly sophisticated variant of the ShellTea malware and carried out attacks against hotel and entertainment industry. This would be the first attack by FIN8 hacker group in 2019, and it is believed that malware was deployed as a result of a phishing attack.

Researchers from Morphisec Labs observed a new campaign between March to May 2019, and it “attempted to infiltrate machines several machines within the network of a customer in the hotel-entertainment industry.”

ShellTea Malware Attack

The attack starts with a fileless dropper that infiltrates and persists through the registry, the attack executed by abusing PowerShell wildcard mechanism to load ShellTea malware. This is an attempt to evade detection while propagating to the next stages of execution.

“To operate and evade standard analysis tools, most of the functions are hashed. The hashing algorithm has a high degree of similarity to the previous ShellTea version, with a slight modification of the seeds and constants,” reads the Morphisec analysis report.

ShellTea looks for explorer.exe process in multiple ways to find the process id of the current desktop window. Once it locates the process id it uses standard functions to write within the memory of explorer.

The malware also implies a number of anti-debugging or anti-monitoring techniques to check that it is not running in a virtual machine or not being monitored with any inspection tools.

According to researchers following are the list of the process it searched for

WINDBG.EXE, WIRESHARK.EXE, PROCEXP.EXE, PROCMON.EXE, TCPVIEW.EXE, 
OLLYDBG.EXE, IDAG.EXE, IDAG64.EXE, DUMPCAP.EXE, FILEMON.EXE, IDAQ64.EXE, IDAQ.EXE,
IMMUNITYDEBUGGER.EXE, PETOOLS.EXE, REGMON.EXE, SYSER.EXE, TCPDUMP.EXE,
WINDUMP.EXE, APIMONITOR.EXE, APISPY32.EXE, IRIS.EXE, NETSNIFFER.EXE,
WINAPIOVERRIDE32.EXE, WINSPY.EXE

After bypassing the sandboxes, the shellcode executes a persistency module then ” it decrypts the PowerShell base64 command, then decrypts the CMD command for persistence.”

Communication with the C2 server carried out through HTTPS; if the communication with the C2 server fails, it will try to execute the proxy aware API to establish a connection.

The PowerShell script capable of collecting all possible information on the user and the network, including snapshots, computer and user names, emails from the registry, tasks in task scheduler, system information, AVs registered in the system, privileges, domain and workgroup information.

The hospitality industry, and particularly their POS networks, now becoming a prime target for cybercrime group. Researchers assume the attack by FIN6 group also an attempted POS attack.

Indicators of Compromise

SHELLTEA BACKDOOR:

6353D7B18EE795969659C2372CD57C3D
4B9EFD882C49EF7525370FFB5197AD86

REFLECTIVEPICKER:

DC162908E580762F17175BE8CCA25CF3

PowerShell recon script:

4BEB10043D5A1FBD089AA53BC35C58CA

DOMAINS:

telemerty-cdn-cloud[.]host
cdn-amaznet.club
reservecdn[.]pro
wsuswin10[.]us
telemetry[.]host

IPs:

104.193.252[.]162:443
37.1.204[.]87:443

Also Read

Hackers Increasing the use of “Command Line Evasion and Obfuscation” to Spread Advance Level Threats

Fin7 Cybercrime Group Hacked Burgerville and Stolen Payment Card Details

Three Members of Fin7 Hacker Group Charged With Stealing 15 Million Payment Cards

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

4 hours ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

2 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

2 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

2 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

2 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

3 days ago