1. Home
  2. Software
  3. PUNCHBUGGY

PUNCHBUGGY

PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. [1][2] [3]

ID: S0196
Associated Software: ShellTea
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 18 April 2018
Last Modified: 09 February 2021

Associated Software Descriptions

Name Description
ShellTea

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

PUNCHBUGGY can gather user names.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.[2][3][1]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PUNCHBUGGY has been observed using a Registry Run key.[3][1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PUNCHBUGGY has used PowerShell scripts.[1]
.006 Command and Scripting Interpreter: Python

PUNCHBUGGY has used python scripts.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

PUNCHBUGGY has saved information to a random temp file before exfil.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.[1]
Enterprise T1546 .009 Event Triggered Execution: AppCert DLLs

PUNCHBUGGY can establish using a AppCertDLLs Registry key.[3]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

PUNCHBUGGY can delete files written to disk.[3][1]
Enterprise T1105 Ingress Tool Transfer

PUNCHBUGGY can download additional files and payloads to compromised hosts.[3][1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.[3][1]
Enterprise T1027 Obfuscated Files or Information

PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.[1]
Enterprise T1129 Shared Modules

PUNCHBUGGY can load a DLL using the LoadLibrary API.[3]
Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

PUNCHBUGGY can load a DLL using Rundll32.[3]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

PUNCHBUGGY can gather AVs registered in the system.[1]

Enterprise T1082 System Information Discovery

PUNCHBUGGY can gather system information such as computer names.[1]

Groups That Use This Software

ID Name References
G0061 FIN8

[2]

References

  1. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  2. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  1. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.