Cyber Threat Actor: FIN8
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
United States of America
|
1 incident |
|---|
Profile
FIN8 is a threat actor tracked under that alias and has been publicly linked to operations originating from the United States of America. The group has been described as financially motivated, with observed activity targeting the hospitality sector, specifically hotel‑entertainment entities, and attempting to deploy point‑of‑sale focused payloads. Their activity has been documented in a March 2019 intrusion against a hotel‑entertainment network where a phishing campaign delivered a fileless variant of the ShellTea/PunchBuggy backdoor.
The group’s typical initial access vector involves phishing emails that deliver a fileless dropper. Once executed, the malware establishes persistence through registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and a randomly named subkey, then launches PowerShell code from that location. The PowerShell stage decodes a base64‑encoded .NET assembly that injects shellcode into the explorer.exe process, a technique used to evade detection. To avoid analysis, the shellcode employs multiple anti‑analysis checks: it queries firmware strings via NtQuerySystemInformation to detect virtual environments, enumerates running processes and compares CRC32 hashes of capitalized process names against a hard‑coded list that includes debuggers and monitoring tools, and validates the system’s hard‑disk volume by comparing a SHA1 hash of the volume name to a preset value.
For command and control, the ShellTea backdoor communicates over HTTPS with proxy‑aware capabilities, using domains that mimic legitimate content‑delivery networks such as telemerty‑cdn‑cloud[.]host, reservecdn[.]pro, wsuswin10[.]us and telemetry[.]host. The C2 protocol supports a range of commands including writing received data or shellcode to the registry, reflectively loading and executing delivered binaries, creating and executing a file that is later marked as deleted, executing shellcode directly via a new thread, and running arbitrary PowerShell commands through a downloaded Empire ReflectivePicker component. The ReflectivePicker is reflectively loaded to instantiate the CLR via CorBindToRuntime, enabling in‑memory .NET execution.
During reconnaissance, the malware downloads a PowerShell script that gathers extensive system and network information—including computer and user names, email addresses from the registry, scheduled tasks, system details, installed antivirus products, privileges, domain and workgroup information—and gzips the output before exfiltrating it to the C2 server, after which the temporary file is deleted. The malware also leverages ole32 stream objects to manipulate downloaded memory streams directly.
A publicly reported campaign from March 1 2019 illustrates these behaviors: a phishing‑delivered ShellTea variant attempted to infiltrate a hotel‑entertainment network, performed reconnaissance, established persistence, and sought to deploy a POS‑focused payload that was blocked by endpoint defenses before reaching point‑of‑sale systems. The activity was attributed to FIN8 by Morphisec researchers, who noted overlapping infrastructure and tactics with the FIN7 group but maintained FIN8 as a distinct activity cluster. No further attribution to state sponsors or criminal consortia is provided in the source material.
