During the period of March to May 2019, Morphisec Labs observed a new, highly sophisticated variant of the ShellTea / PunchBuggy backdoor malware that attempted to infiltrate a number of machines within the network of a customer in the hotel-entertainment industry. It is believed that the malware was deployed as a result of several phishing attempts.
The last documented version of ShellTea was in 2017, in a POS malware attack. Given the nature of the industry targeted in the attack uncovered by Morphisec, we assume that this was also an attempted POS attack. As the attack was prevented by the Morphisec solution, the POS malware could not be downloaded to the machines.
This is the first attack observed during 2019 that can be attributed to FIN8 with high probability, although there are a few indicators that overlap with known FIN7 attacks (URLs and infrastructure).