After being mostly silent for two years FIN8 hacking group has returned with a new campaign aimed at companies in the hospitality sector. As opposed to APT (advanced persistent threat) groups that are focused on intelligence gathering and cyber-espionage, FIN8 conducts attacks for its own financial profit. And while some financially motivated hackers often target banks and other companies in the financial sector, this group is primarily focused on attacking point-of-sale (PoS) systems in effort to steal payment card data, which they put up for sale on online hacking forums.
In 2016 - 2017 FireEye and root9B published reports detailing string of FIN8 attacks aimed at PoS systems in the retail sector. Since then the group went on hiatus for nearly two years, but in March 2019 cyber-security firm Morphisec spotted a new wave of attacks targeting companies in the hospitality industry. According to the report, the firm was able to stop the attacks before any data was stolen.
As with previous campaigns the group started its attack with the spear-fishing emails in order to install the ShellTea (PunchBuggy) malware backdoor into a victim's network designed to steal data from POS devices. While FIN8 used the same ShellTea backdoor as in previous campaigns, this time hackers made some changes to the malware to help it avoid detection and other security protocols.
According to the researchers, FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect. For instance, in new ShellTea version the hashing algorithm used for hashing most of the functions in order to evade standard analysis tools has been slightly modified. Additionally, the PowerShell script used in part of the attack can now collect a significant amount of data from the network, including snapshots, computer and user names, emails from registry, tasks in task scheduler, system information, anti-virus registered in the system, privileges, domain and workgroup information. The results are Gzipped and saved under random file in the temp folder and then the data is send back to the C2 and the file is deleted.
The hospitality industry, and particularly their POS networks, continues to be one of the industries most targeted by cybercrime groups, note the experts. The focus on the hotel industry could be explained by the fact that many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities. Additionally, many POS systems run with only rudimentary security as traditional antivirus is too heavy and requires constant updating that can interfere with system availability.