Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Version of ShellTea Backdoor Used by FIN8 Hacking Group

Researchers have detected a new campaign against the hotel-entertainment industry employing the first documented use of the ShellTea/PunchBuggy backdoor since 2017. It is also thought to be the first observed attack delivered by the FIN8 group in 2019.

Researchers have detected a new campaign against the hotel-entertainment industry employing the first documented use of the ShellTea/PunchBuggy backdoor since 2017. It is also thought to be the first observed attack delivered by the FIN8 group in 2019.

FIN8’s obfuscation techniques were analyzed by FireEye in June 2017 together with the use of “their PUNCHTRACK POS-scraping malware.” For example, wrote FireEye, “In early 2017, FIN8 began using environment variables paired with PowerShell’s ability to receive commands via StdIn (standard input) to evade detection based on process command line arguments.”

ShellTea was analyzed, without any attribution, by Root9b also in June 2017. Interestingly, the firm noticed an error in the coding: “There are now 27 CRC32s to check against in the array, but the loop comparing the process name CRC32 to the list of hashes runs 108 times.” 

In Root9b’s analysis, the purpose of ShellTea is to deliver POS malware. “We observed the adversaries stealing tokens, then using those credentials or creating forged Kerberos tickets (‘Golden Tickets’) to maneuver laterally and gain access to network servers on the PoS network which would become the staging points for the remainder of the attack…  to launch shell commands, including wmic.exe, to push the PoS software, which we dubbed PoSlurp, to the PoS machines to launch it.”

The new iteration of ShellTea detected by researchers from Morphisec has corrected the CRC32 error. Between March and May 2019, report the researchers, they detected “a new, highly sophisticated variant of the ShellTea / PunchBuggy backdoor malware,” It attempted to infiltrate a number of machines belonging to one of Morphisec’s customer networks, probably as a result of phishing attempts.

Morphisec assumes the purpose of the new attack is similarly to deliver POS malware, but cannot absolutely confirm this. It discovered the malware by blocking it on the customer — so it never completed its final purpose.

FIN8 is thought to be separate to FIN7, although, say the researchers, “there are a few indicators that overlap with known FIN7 attacks (URLs and infrastructure).” FIN7 is known for its use of the Carbanak malware, and reportedly breached Saks Fifth Avenue and Lord & Taylor stores in North America potentially between May 2017 and April 2018.

The new campaign using ShellTea starts with a fileless dropper using PowerShell code activated by registry keys and leading to ShellTea — which is injected into Explorer. It checks whether it is running in a sandbox or virtual environment, or is being monitored.

C2 communication is over HTTPS. ShellTea responds to the commands it receives back. It might reflectively load and execute a delivered executable; it might create a file and execute it as a process; it might execute any PowerShell command using downloaded native Empire ReflectivePicker; or it might execute the shellcode as is by creating an additional thread. POS malware would likely be downloaded at this time.

The PowerShell script also collects information on the user and the network — including snapshots, computer and usernames, emails from registry, tasks in task scheduler, system information, AVs registered in the system, privileges, domain and workgroup information. This data is Gzipped and saved under a random file in the temp folder. As soon as it has been collected by the C2, it is deleted.

The hospitality industry — and particularly its POS networks — are a major target for attackers. The FIN6, FIN7 and FIN8 groups are all known for multiple attacks against POS. Defense is made more difficult because many such networks run on the POS version of Windows 7. In effect POS is part of the operational technology of the retail and hospitality industries — and presents the same problems as ICS systems in manufacturing: processing capacity is limited, anti-virus demands are heavy, and patching and updates are sometimes skipped for fear of interfering with system availability.

With such a highly prized target and with limited natural security, POS attacks will inevitably continue.

Related: Breach at PoS Firm Hits Hundreds of U.S. Restaurants, Hotels 

Related: PoS Clients Targeted with Cobalt Strike, Card Scraping Malware 

Related: Malware Found on PoS Systems at Checkers and Rally’s Restaurants  

Related: Magecart Skimming Attack Hits Hundreds of Campus e-Commerce Sites 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.