FIN8 Hacking Group backs to business with updated ShellTea backdoor

July 18, 2019
hacking group | Malware check | Malware trojan

After being silent for almost two years, cybersecurity researchers made malware check and found out that FIN8 Hacking Group has returned, devising a new method of hacking the hotel-entertainment industry using an updated version of a malware trojan known as ShellTea/PunchBuggy Backdoor.This attack was thought to be the first attack delivered by the FIN8 group in 2019.


FIN8 is a financially motivated threat group known to launch tailored spear-phishing campaigns targeting the retail, restaurant, and hospitality industries.This threat group conduct attacks for its own financial profit unlike to APT (advanced persistent threat) groups that are focused on intelligence gathering and cyber-espionage.  FIN8 threat group is primarily focused on attacking point-of-sale (PoS) systems in effort to steal payment card data, which they put up for sale on online hacking forums.


Researchers observed these adversaries stealing tokens, then using those credentials or creating forged Kerberos tickets to maneuver laterally and gain access to network servers on the PoS network which would become the staging points for the remainder of the attack to launch shell commands to push the PoS software, which they dubbed PoSlurp, to the PoS machines to launch it.

This new method devised by FIN8 hacking group starts with a fileless dropper using PowerShell code activated by registry keys and leading to ShellTea which is injected into Explorer.ShellTea checks its environment whether it is running in a sandbox or virtual environment, or most likely, being monitored.

After responding to the commands it receives back, ShellTeawill load and execute a delivered executable. It will then create a file and execute it as a process and execute any PowerShell command using downloaded native Empire Reflective Picker. POS malware would likely be downloaded at this time. Once the POS malware is executed, PowerShell script will collect information on the user and the network such as snapshots, computer and usernames, emails from registry, tasks in task scheduler, system information, AVs registered in the system, privileges, domain and workgroup information.

The major targets of this hacking group are hospital industries, particularly its POS networks. Aside from FIN8, there are also FIN6 and FIN7, which are also known for multiple attacks against POS. As a result of this hacking activity, POS becomes part of the operational technology of the retail and hospitality industries.


About the author

Leave a Reply