Cyber Incident Victim: Target

Between March and May 2019, a hotel-entertainment industry customer experienced a cyberattack involving a sophisticated variant of the ShellTea (also known as PunchBuggy) backdoor malware. Morphisec Labs observed the fileless malware attempting to infiltrate multiple machines within the victim's network, with initial access believed to have been achieved through phishing campaigns. The malware leveraged registry-based persistence mechanisms, starting with the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to execute PowerShell code stored in a randomly named subkey under HKEY_CURRENT_USER\Software. This PowerShell stage decoded a base64-encoded .NET assembly that injected shellcode into memory. The shellcode employed multiple evasion techniques, including process injection into explorer.exe via the RtlCreateUserThread API and comprehensive checks for virtual environments. These checks involved querying firmware information through NtQuerySystemInformation, scanning for security monitoring tools like Wireshark.exe and Procmon.exe using CRC32-hashed process names, and validating hard disk volume names via SHA-1 hashing.

The ShellTea variant established command-and-control (C2) communication over HTTPS to domains including telemerty-cdn-cloud[.]host (resolving to 104.193.252[.]162), reservecdn[.]pro, wsuswin10[.]us, and telemetry[.]host. The malware was proxy-aware and utilized ole32 stream functions for data manipulation. It supported multiple C2 directives, including registry manipulation, reflective DLL loading, file creation/execution, shellcode execution, and PowerShell command invocation via an Empire ReflectivePicker module. During reconnaissance, the malware executed a PowerShell script that collected system and network information—including user credentials, installed antivirus products, and domain details—compressed the data into a Gzip file, and exfiltrated it before deletion. Morphisec's intervention prevented the final payload delivery stage, which forensic analysis indicated was likely POS-targeted malware based on the victim's industry and FIN8's historical focus on payment systems. No post-exploitation activity or data theft occurred due to the preventive controls blocking the attack before POS system compromise.

The incident represented the first high-confidence attribution to FIN8 in 2019, though some infrastructure overlaps with FIN7 operations were noted. Technical improvements over the 2017 ShellTea version included refined anti-analysis routines, expanded process blocklists, and fixed cryptographic implementation errors. The attack exploited the hospitality sector's reliance on vulnerable Windows 7-based POS systems, which often lack robust security due to operational constraints. Morphisec's endpoint solution halted the attack at the initial execution phase, preventing registry persistence establishment and subsequent payload retrieval. Artifacts included malware hashes (e.g., ShellTea variants 6353D7B18EE795969659C2372CD57C3D and 4B9EFD882C49EF7525370FFB5197AD86), PowerShell script hashes (4BEB10043D5A1FBD089AA53BC35C58CA), and network indicators. The containment was limited to blocking the initial intrusion vector, with no evidence of lateral movement or secondary payload deployment due to early-stage mitigation.