FIN8 hacker group is back with a new highly sophisticated variant of the ShellTea malware and carried out attacks against hotel and entertainment industry. This would be the first attack by FIN8 hacker group in 2019, and it is believed that malware was deployed as a result of a phishing attack.
Researchers from Morphisec Labs observed a new campaign between March to May 2019, and it “attempted to infiltrate machines several machines within the network of a customer in the hotel-entertainment industry.”
ShellTea Malware Attack
The attack starts with a fileless dropper that infiltrates and persists through the registry, the attack executed by abusing PowerShell wildcard mechanism to load ShellTea malware. This is an attempt to evade detection while propagating to the next stages of execution.
“To operate and evade standard analysis tools, most of the functions are hashed. The hashing algorithm has a high degree of similarity to the previous ShellTea version, with a slight modification of the seeds and constants,” reads the Morphisec analysis report.
ShellTea looks for explorer.exe process in multiple ways to find the process id of the current desktop window. Once it locates the process id it uses standard functions to write within the memory of explorer.
The malware also implies a number of anti-debugging or anti-monitoring techniques to check that it is not running in a virtual machine or not being monitored with any inspection tools.
According to researchers following are the list of the process it searched for
WINDBG.EXE, WIRESHARK.EXE, PROCEXP.EXE, PROCMON.EXE, TCPVIEW.EXE, OLLYDBG.EXE, IDAG.EXE, IDAG64.EXE, DUMPCAP.EXE, FILEMON.EXE, IDAQ64.EXE, IDAQ.EXE, IMMUNITYDEBUGGER.EXE, PETOOLS.EXE, REGMON.EXE, SYSER.EXE, TCPDUMP.EXE, WINDUMP.EXE, APIMONITOR.EXE, APISPY32.EXE, IRIS.EXE, NETSNIFFER.EXE, WINAPIOVERRIDE32.EXE, WINSPY.EXE
After bypassing the sandboxes, the shellcode executes a persistency module then ” it decrypts the PowerShell base64 command, then decrypts the CMD command for persistence.”
Communication with the C2 server carried out through HTTPS; if the communication with the C2 server fails, it will try to execute the proxy aware API to establish a connection.
The PowerShell script capable of collecting all possible information on the user and the network, including snapshots, computer and user names, emails from the registry, tasks in task scheduler, system information, AVs registered in the system, privileges, domain and workgroup information.
The hospitality industry, and particularly their POS networks, now becoming a prime target for cybercrime group. Researchers assume the attack by FIN6 group also an attempted POS attack.
Indicators of Compromise
SHELLTEA BACKDOOR: 6353D7B18EE795969659C2372CD57C3D 4B9EFD882C49EF7525370FFB5197AD86 REFLECTIVEPICKER: DC162908E580762F17175BE8CCA25CF3 PowerShell recon script: 4BEB10043D5A1FBD089AA53BC35C58CA DOMAINS: telemerty-cdn-cloud[.]host cdn-amaznet.club reservecdn[.]pro wsuswin10[.]us telemetry[.]host IPs: 104.193.252[.]162:443 37.1.204[.]87:443