FIN8 tries to breach U.S. hotel with new malware variant, researchers say

With the trove of financial and personal data it collects from customers, the hospitality industry has been a ripe target for cybercriminal gangs.
credit cards, payment cards, data breach
(Getty Images)

A criminal hacking group tried to breach the computer network of a U.S. hotel using a variant of malware the group had last deployed in 2017, according to research from endpoint security firm Morphisec.

FIN8, as the financially-driven group is known, made several upgrades to its ShellTea malware, aiming it at the network of the hotel between March and May, according to Morphisec. Researchers believe it was an attempted attack on a point-of-sale (POS) system, or one that processes payment card data. The intrusion attempt was blocked.

In a blog post published Monday, Morphisec warned of the vulnerability of POS networks to groups like FIN8.

“Many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities,” wrote Morphisec CTO Michael Gorelik. “The techniques implemented can easily evade standard POS defenses.”


The research did not identify the hotel by name or specify its location, though Gorelik told CyberScoop it was in the U.S. With the trove of financial and personal data it collects from customers, the hospitality industry has been a ripe target for cybercriminal gangs.

The operators of the ShellTea malware improved their hacking tool by adding a reconnaissance feature that bypasses a network’s “whitelisting” mechanism, which aims to block malicious activity. The malicious code runs a PowerShell script that ingests a variety of information on the user and network, including user names, system and domain information, and antivirus tools running on the system, according to Morphisec.

Morphisec attributed the activity to FIN8 with “high probability,” Gorelik said. The data recovered from the intrusion attempt had a “very high match” to a previous memory implant reported by cybersecurity companies FireEye and root9b, he said.

“To have such a match you need access to the source code,” Gorelik said. “So either FIN8 executed the attack again or some of its members joined” other criminal gangs, such as FIN6 or FIN7, he added. Some of the infrastructure used in the new activity overlapped with known FIN7 attacks, he said.

Kimberly Goody, manager of intelligence analysis at FireEye, said that her company saw FIN8 use additional tools in their operations last year. That means that, in addition to relying on its POS malware, the group was “actively seeking out new methods to augment their success,” Goody told CyberScoop.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts