ShellTea

ShellTea is a backdoor Trojan that facilitates PoS or Point-of-Sale attacks that collect credit and debit card information from PoS machines. It is undergoing active development and changes in its features and structure for countering detection by traditional AV rule sets. Users should update their security software for eliminating ShellTea with the best accuracy and efficiency.

The 2019 Revised Recipe of an Aging Drink

Despite the threat to its profitability that chip card technology represents, Point-of-Sale Trojans are far from dead, although some members of its industry are in a state of self-resurrection. ShellTea is a surprise of a Trojan that was once thought of as extinct, only to appear again recently, with more than just its old tricks. Updates to ShellTea are oriented, not at changing its payload's scope, but at avoiding detection from security solutions.

ShellTea's latest, 2019 campaign attempted a PoS attack against an entity in the hotel industry unsuccessfully before being stopped by the company's cyber-security defenses. PoS attacks consist of compromising a network by means such as phishing e-mails before traveling to the Point-of-Sale systems laterally and dropping a PoS Trojan that specializes in scrapping memory for card track data. ShellTea is a 'middle man' in this operation: as a backdoor Trojan, it helps the criminals gain control over an infected PC and, if appropriate, drop the other, more niche threats.

Malware researchers find ShellTea's Trojan dropper and installation mechanism for the above attack somewhat sophisticated. Its body consists of Registry entries entirely with various obfuscating techniques and no local files. Through a combination of PowerShell commands and self-injection, it installs a persistent version of ShellTea and runs it through injecting it into the Windows 'explorer' process.

ShellTea contains anti-analysis and anti-sandbox failsafe checks, multiple types of the XOR encryption, and an HTTPS-based backdoor that can make additional Registry changes, execute other downloads, and load PowerShell commands through the Empire project's ReflectivePicker.

Spitting Out a Spoiled Beverage

It's not beyond all possibility for ShellTea infections to lead into the deployment of a non-PoS Trojan, such as spyware, or even file-locker Trojans like the Dharma Ransomware's Ransomware-as-a-Service offspring. However, malware analysts only can verify PoS attacks. Regardless of the behavior of its threat actors, workers should adhere to best practices for network and server security for eliminating all possibilities of infections on a preventative basis.

Disabling online connectivity is an appropriate first step in response to all backdoor Trojans, but for ShellTea, especially. The Trojan harvests a comprehensive range of information from the PC, including Registry-stored e-mail addresses, user names, and the AV programs that are present, which threat actors could use in further attacks. Disrupting the C&C connection will stop any uploading of misappropriated data, and also interrupt ShellTea's capacity for acting on any commands.

Anti-malware programs should be kept in an updated state, whenever practical. Out-of-date anti-malware services may not identify the threat accurately, although malware experts still recommend these automated tools for uninstalling ShellTea under most circumstances.

The recon-and-exert-control package that ShellTea offers is par for the course, but being a known factor doesn't lessen its danger. Any business that forgets the value of protecting its customers, or their hardware, will learn that fact the hard way.