Security Alert: FIN8 is Back in Business, Targeting The Hospitality Industry (Jun 10, 2019)
The financially-motivated threat group, “FIN8,” has been found to have implemented a new variant of the “ShellTea” (PunchPuggy) backdoor, according to Morphisec researchers. FIN8 was observed utilizing this Point-of-Sale (POS) malware while targeting an unnamed company in the hotel-entertainment industry. While the infection vector is unknown for this instance, it is believed that it was delivered via phishing emails. ShellTea is a sophisticated piece of malware that creates a registry entry for persistence, hashes its functions to evade analysis, utilizes a fileless dropper, and has virtual environment and sandbox detection. The malware will collect system information and will receive commands from a Command and Control (C2) server for additional malicious activity.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. In addition, protocols should be in place to ensure that all endpoints have the necessary patches applied and that privileged accounts are limited. Furthermore, defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.