Researchers have detected a new campaign against the hotel-entertainment industry employing the first documented use of the ShellTea/PunchBuggy backdoor since 2017. It is also thought to be the first observed attack delivered by the FIN8 group in 2019.
FIN8’s obfuscation techniques were analyzed by FireEye in June 2017 together with the use of “their PUNCHTRACK POS-scraping malware.” For example, wrote FireEye, “In early 2017, FIN8 began using environment variables paired with PowerShell’s ability to receive commands via StdIn (standard input) to evade detection based on process command line arguments.”
ShellTea was analyzed, without any attribution, by Root9b also in June 2017. Interestingly, the firm noticed an error in the coding: “There are now 27 CRC32s to check against in the array, but the loop comparing the process name CRC32 to the list of hashes runs 108 times.”
In Root9b’s analysis, the purpose of ShellTea is to deliver POS malware. “We observed the adversaries stealing tokens, then using those credentials or creating forged Kerberos tickets (‘Golden Tickets’) to maneuver laterally and gain access to network servers on the PoS network which would become the staging points for the remainder of the attack… to launch shell commands, including wmic.exe, to push the PoS software, which we dubbed PoSlurp, to the PoS machines to launch it.”
The new iteration of ShellTea detected by researchers from Morphisec has corrected the CRC32 error. Between March and May 2019, report the researchers, they detected “a new, highly sophisticated variant of the ShellTea / PunchBuggy backdoor malware,” It attempted to infiltrate a number of machines belonging to one of Morphisec’s customer networks, probably as a result of phishing attempts.
Morphisec assumes the purpose of the new attack is similarly to deliver POS malware, but cannot absolutely confirm this. It discovered the malware by blocking it on the customer — so it never completed its final purpose.
FIN8 is thought to be separate to FIN7, although, say the researchers, “there are a few indicators that overlap with known FIN7 attacks (URLs and infrastructure).” FIN7 is known for its use of the Carbanak malware, and reportedly breached Saks Fifth Avenue and Lord & Taylor stores in North America potentially between May 2017 and April 2018.
The new campaign using ShellTea starts with a fileless dropper using PowerShell code activated by registry keys and leading to ShellTea — which is injected into Explorer. It checks whether it is running in a sandbox or virtual environment, or is being monitored.
C2 communication is over HTTPS. ShellTea responds to the commands it receives back. It might reflectively load and execute a delivered executable; it might create a file and execute it as a process; it might execute any PowerShell command using downloaded native Empire ReflectivePicker; or it might execute the shellcode as is by creating an additional thread. POS malware would likely be downloaded at this time.
The PowerShell script also collects information on the user and the network — including snapshots, computer and usernames, emails from registry, tasks in task scheduler, system information, AVs registered in the system, privileges, domain and workgroup information. This data is Gzipped and saved under a random file in the temp folder. As soon as it has been collected by the C2, it is deleted.
The hospitality industry — and particularly its POS networks — are a major target for attackers. The FIN6, FIN7 and FIN8 groups are all known for multiple attacks against POS. Defense is made more difficult because many such networks run on the POS version of Windows 7. In effect POS is part of the operational technology of the retail and hospitality industries — and presents the same problems as ICS systems in manufacturing: processing capacity is limited, anti-virus demands are heavy, and patching and updates are sometimes skipped for fear of interfering with system availability.
With such a highly prized target and with limited natural security, POS attacks will inevitably continue.