1. Home
  2. Software
  3. PUNCHBUGGY

PUNCHBUGGY

PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. [1][2] [3]

ID: S0196
Associated Software: ShellTea
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 18 April 2018
Last Modified: 19 September 2023

Associated Software Descriptions

Name Description
ShellTea

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .009 事件触发执行: AppCert DLLs

PUNCHBUGGY can establish using a AppCertDLLs Registry key.[3]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.[3][1]
Enterprise T1129 共享模块

PUNCHBUGGY can load a DLL using the LoadLibrary API.[3]
Enterprise T1140 反混淆/解码文件或信息

PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

PUNCHBUGGY has been observed using a Registry Run key.[3][1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

PUNCHBUGGY has used PowerShell scripts.[1]
.006 命令与脚本解释器: Python

PUNCHBUGGY has used python scripts.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.[2][3][1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.[1]

Enterprise T1074 .001 数据分段: Local Data Staging

PUNCHBUGGY has saved information to a random temp file before exfil.[1]
Enterprise T1027 混淆文件或信息

PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.[1]
Enterprise T1070 .004 移除指标: File Deletion

PUNCHBUGGY can delete files written to disk.[3][1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

PUNCHBUGGY can load a DLL using Rundll32.[3]
Enterprise T1082 系统信息发现

PUNCHBUGGY can gather system information such as computer names.[1]

Enterprise T1087 .001 账号发现: Local Account

PUNCHBUGGY can gather user names.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

PUNCHBUGGY can gather AVs registered in the system.[1]

Enterprise T1105 输入工具传输

PUNCHBUGGY can download additional files and payloads to compromised hosts.[3][1]

Groups That Use This Software

ID Name References
G0061 FIN8

[2]

References

  1. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  2. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  1. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.