• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2019
  • June
  • 13
  • FIN8 Hacker Group using ShellTea Malware to Attack Hospitality Sector

FIN8 Hacker Group using ShellTea Malware to Attack Hospitality Sector

June 13, 2019June 13, 2019 Comments Off on FIN8 Hacker Group using ShellTea Malware to Attack Hospitality Sector
fin8 hacker group shelltea malware

FIN8 hacker group is back with a new highly sophisticated variant of the ShellTea malware and carried out attacks against hotel and entertainment industry. This would be the first attack by FIN8 hacker group in 2019, and it is believed that malware was deployed as a result of a phishing attack.

Researchers from Morphisec Labs observed a new campaign between March to May 2019, and it “attempted to infiltrate machines several machines within the network of a customer in the hotel-entertainment industry.”

ShellTea Malware Attack

The attack starts with a fileless dropper that infiltrates and persists through the registry, the attack executed by abusing PowerShell wildcard mechanism to load ShellTea malware. This is an attempt to evade detection while propagating to the next stages of execution.

“To operate and evade standard analysis tools, most of the functions are hashed. The hashing algorithm has a high degree of similarity to the previous ShellTea version, with a slight modification of the seeds and constants,” reads the Morphisec analysis report.

ShellTea looks for explorer.exe process in multiple ways to find the process id of the current desktop window. Once it locates the process id it uses standard functions to write within the memory of explorer.

NSA issues a warning about BlueKeep vulnerability

The malware also implies a number of anti-debugging or anti-monitoring techniques to check that it is not running in a virtual machine or not being monitored with any inspection tools.

According to researchers following are the list of the process it searched for

WINDBG.EXE, WIRESHARK.EXE, PROCEXP.EXE, PROCMON.EXE, TCPVIEW.EXE, 
OLLYDBG.EXE, IDAG.EXE, IDAG64.EXE, DUMPCAP.EXE, FILEMON.EXE, IDAQ64.EXE, IDAQ.EXE, 
IMMUNITYDEBUGGER.EXE, PETOOLS.EXE, REGMON.EXE, SYSER.EXE, TCPDUMP.EXE, 
WINDUMP.EXE, APIMONITOR.EXE, APISPY32.EXE, IRIS.EXE, NETSNIFFER.EXE, 
WINAPIOVERRIDE32.EXE, WINSPY.EXE

After bypassing the sandboxes, the shellcode executes a persistency module then ” it decrypts the PowerShell base64 command, then decrypts the CMD command for persistence.”

Communication with the C2 server carried out through HTTPS; if the communication with the C2 server fails, it will try to execute the proxy aware API to establish a connection.

The PowerShell script capable of collecting all possible information on the user and the network, including snapshots, computer and user names, emails from the registry, tasks in task scheduler, system information, AVs registered in the system, privileges, domain and workgroup information.

The Vigilante Hacker that hacked Hacking Team

The hospitality industry, and particularly their POS networks, now becoming a prime target for cybercrime group. Researchers assume the attack by FIN6 group also an attempted POS attack.

Indicators of Compromise

SHELLTEA BACKDOOR:

6353D7B18EE795969659C2372CD57C3D
4B9EFD882C49EF7525370FFB5197AD86

REFLECTIVEPICKER:

DC162908E580762F17175BE8CCA25CF3

PowerShell recon script:

4BEB10043D5A1FBD089AA53BC35C58CA

DOMAINS:

 telemerty-cdn-cloud[.]host
cdn-amaznet.club
reservecdn[.]pro
wsuswin10[.]us
telemetry[.]host

IPs:

104.193.252[.]162:443
37.1.204[.]87:443

Post navigation

Sparrow-Wifi – Graphical WiFi Analyzer for Linux
Beemka – Electron Exploitation Toolkit

Related Articles

Robinhood Crypto Fined $30 Million for AML Violations in NY

Robinhood Crypto Fined $30 Million for AML Violations in NY

- Dark Web News
August 19, 2022
Russian Extradited to the US for Laundering $400K in Crypto

Russian Extradited to the US for Laundering $400K in Crypto

- Dark Web News
August 18, 2022
Chainalysis Report: Illicit Crypto Activity (Mostly) Down in 2022

Chainalysis Report: Illicit Crypto Activity (Mostly) Down in 2022

- Dark Web News
August 18, 2022
hacker gadgets
hacker phone covers

Recent Posts

crAPI - Completely Ridiculous API

crAPI – Completely Ridiculous API

August 19, 2022
AVML v0.8 releases: Acquire Volatile Memory for Linux

AVML v0.8 releases: Acquire Volatile Memory for Linux

August 19, 2022
Reliable Online Resources (Practice Tests, Training Courses, eBooks) to Help You Pass Microsoft AZ-300 Exam on the First Try

Microsoft workers uploaded sensitive login credentials to Microsoft’s own systems to GitHub

August 19, 2022
Robinhood Crypto Fined $30 Million for AML Violations in NY

Robinhood Crypto Fined $30 Million for AML Violations in NY

August 19, 2022
CVE-2022-35278: Apache ActiveMQ Artemis HTML Injection Vulnerability

CVE-2022-35278: Apache ActiveMQ Artemis HTML Injection Vulnerability

August 18, 2022
Russian Extradited to the US for Laundering $400K in Crypto

Russian Extradited to the US for Laundering $400K in Crypto

August 18, 2022

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW