S0196 PUNCHBUGGY
PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. 12 3
| Item | Value |
|---|---|
| ID | S0196 |
| Associated Names | ShellTea |
| Type | MALWARE |
| Version | 2.1 |
| Created | 18 April 2018 |
| Last Modified | 09 February 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| ShellTea | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | PUNCHBUGGY can gather user names.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.231 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | PUNCHBUGGY has been observed using a Registry Run key.31 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | PUNCHBUGGY has used PowerShell scripts.1 |
| enterprise | T1059.006 | Python | PUNCHBUGGY has used python scripts.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | PUNCHBUGGY has saved information to a random temp file before exfil.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.009 | AppCert DLLs | PUNCHBUGGY can establish using a AppCertDLLs Registry key.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | PUNCHBUGGY can delete files written to disk.31 |
| enterprise | T1105 | Ingress Tool Transfer | PUNCHBUGGY can download additional files and payloads to compromised hosts.31 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.31 |
| enterprise | T1027 | Obfuscated Files or Information | PUNCHBUGGY has hashed most its code’s functions and encrypted payloads with base64 and XOR.1 |
| enterprise | T1129 | Shared Modules | PUNCHBUGGY can load a DLL using the LoadLibrary API.3 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | PUNCHBUGGY can gather AVs registered in the system.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | PUNCHBUGGY can load a DLL using Rundll32.3 |
| enterprise | T1082 | System Information Discovery | PUNCHBUGGY can gather system information such as computer names.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0061 | FIN8 | 2 |
References
-
Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. ↩↩↩
-
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. ↩↩↩↩↩↩↩↩↩