Fin8 Made a Comeback with a More Sophisticated Shelltea Version

ShellTea is a backdoor threat that was utilized in attempts to gain control over computers used by the hotel-entertainment industry. The attack happened during March and May of 2019. It is believed that the malicious application's creators are cybercriminals from the FIN8 group. Unlike hackers from the Turla group who are interested in governments’ sensitive information, these attackers are after their victims’ money. Researchers say that because of it, FIN8 mainly targets the hospitality and entertainment industries. The last time they used ShellTea was in 2017. It would seem a couple of years break allowed the cybercriminals to come up with a more sophisticated and vicious version of this backdoor malware. To learn more about how it behaves after entering a system or how hackers attempted to distribute it, we encourage you to read the rest of this article.

For those who wish to avoid threats like ShellTea, it is essential to know how they could be distributed. Cybersecurity specialists say that the hackers behind the malicious backdoor tried to reach their victims via phishing. Such a method is often used to trick users into revealing their login credentials and sensitive data alike. Also, some cybercriminals use it to spread installers of ransomware and other malicious applications. Usually, phishing attacks carry emails, or different types of messages said to be coming from trusted parties. They can contain malicious files that could be described as important documents or links leading to harmful sites that are supposed to redirect a victim to some legitimate website. As you can guess, interacting with such content may result in infecting one’s system with harmful malware without realizing it. Therefore, users should always confirm that messages they receive come from sources they claim to be from.

If ShellTea manages to get in, it should try to make sure it is loaded with every system restart by creating a Registry value in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run location. The malicious application uses a similar hashing algorithm that was used in the old malware’s version. It is needed to hash the threat's functions to prevent detection by standard analysis tools. The backdoor threat is also capable of identifying whether it is running within a virtual environment. Also, unlike its previous version that had a bug, which made it difficult to determine whether it is being monitored, the new version can tell it because it can recognize the processes belonging to monitoring tools. In its long list of abilities, we can also add capabilities like loading delivered executables into processes, executing shellcodes, executing PowerShell commands, as well as creating and executing files as processes.

What’s more, the malware can gather information about an infected computer and the person who uses it. To be more precise, ShellTea might be able to take snapshots, emails from the registry, system details, antivirus software, privileges, and data alike. Such information should be placed in an archive that ought to be sent to malicious application’s creators and then erased. It is believed that the cybercriminals behind this backdoor threat could use it to carry out POS (Point-of-Sale) attacks or for other malicious activities.

All in all, the amount and type of the malware’s capabilities makes it a very sophisticated threat. If its creators had succeeded in spreading it among hotels, it could have caused a lot of problems for such organizations. Next time the hackers could come up with even more vicious tools than the described version of ShellTea. Therefore, organizations that have a lot to lose from becoming victims of such malicious attacks should take precautions that would protect their systems. As a start, it would be smart to employ reputable antimalware tools, have a team of IT specialists, and educate employees who work with sensitive information on how to avoid phishing and similar attacks.

In non-techie terms:

ShellTea may not sound like a vicious threat, but, in reality, it is a sophisticated backdoor malware that can avoid detection and misuse an infected system’s tools to carry out POS (Point-of-Sale) attacks. The sample observed by cybersecurity experts was also capable of determining whether it is being monitored. Also, the threat can gather various information about an infected system and its user. Information about the infected device can be used to find its weaknesses, and data about a victim could make it easier to misuse the identified vulnerabilities. As one can imagine, it may not be an easy task to protect a system from threats like ShellTea. Cybersecurity experts say a company in fear of being targeted by such attacks should identify weaknesses of its systems and devices. The next step is to get rid of detected vulnerabilities. Plus, it is advisable to use reputable antimalware tools that could identify malicious activities and guard a company’s computers against threats.