Danger level 1
Type: Other

ShellTea Is Back with a Vengeance: New Attacks Are Targeted at Hotels

The last time we had to deal with ShellTea was back in 2017. Two years later, the infection is back, and it is going after the hotel industry. The attackers rely on outdated systems with security vulnerabilities that can be exploited to drop the infection seamlessly. Unfortunately, the attackers have been succeeding, and that has been putting many businesses at risk. The threat is highly intrusive, and once it gains full access to the system, there is no limit to what can be done. Fortunately, preventing this malware from slithering in should not be the toughest task. The most important thing is that those in the industry take some time to learn about malware and ways to secure their operating systems. Sadly, businesses all around the world continue to ignore virtual security issues.

According to researchers at Morphisec Labs, ShellTea started attacking hotels in March 2019. Most likely, phishing attacks were used to deploy this malicious threat successfully. A hacking group called FIN8 stands behind this malware, and researchers indicate that this group is highly experienced and, therefore, can set up highly successful infiltration attacks. In one scenario, the launcher of the infection could be introduced as a spam email attachment. If it is opened, the malware infiltrates the Windows Registry and executes a PowerShell code. Eventually, ShellTea is executed, and the attackers gain a way into the targeted operating system. The infiltration and execution processes are silent, and users might not notice this threat until an appropriate security tool is implemented. Needless to say, the threat could remain undetected for weeks and months on end.

After execution, ShellTea is meant to start recording data. It might be able to record information about the operating system, the machine, the network, the user, and the administrator. It could also check emails, scheduled tasks, information about antivirus tools and other security systems, and other sensitive data. It is also possible that it could capture screenshots to gather sensitive information. In this case, login credentials, customers’ data, and other private and sensitive information could fall at risk. The data that is recorded by ShellTea is saved in a random file that is likely to exist in a temporary file. Once it is sent to a remote server controlled by the attackers, the data is meant to be deleted. That is why the victims might never know what exactly the attackers behind the infection managed to learn or steal. Needless to say, the unknown is extremely nerve-wracking.

It is possible that the cybercriminals behind the intrusive ShellTea could try to terrorize or blackmail hotels using the data they collect. It is also possible that they could use this data to breach customers’ personal data and sell it to a top-bidder. The same could happen with the data related to the hotels. Of course, considering that it is classified as POS (point-of-sale) malware, it is most likely that the main incentive is to steal credit card information. Using it, the attackers could potentially perform illegal transactions and empty out customers’ pockets. This could ruin the victim’s lives as well as the reputation of the hotels under attack. Ultimately, we cannot say what exactly the attackers will do, and that is what makes the infection so intimidating.

At the time of research, it looked like ShellTea was stopped, but if we know one thing about cyber attackers it is that they do not give up. Also, every time they fail, they have an opportunity to learn from their mistakes, and that might allow them to create stronger, sneakier, and more successful malware. Will we be dealing with the removal of ShellTea in the future? That is possible, and it is possible that a new target will be selected. In the meantime, all businesses within the hospitality industry are advised to update their operating systems, hardware, and the security software used for safeguarding. It is also important to educate employees on the dangers of spam emails and other kinds of virtual attacks that cybercriminals could set up to help infiltrate malware.


Gorelik, M. June 10, 2019. FIN8 is Back in Business, Targeting the Hospitality Industry. Morphisec Labs.

Download Spyware Removal Tool to Remove* ShellTea Is Back with a Vengeance: New Attacks Are Targeted at Hotels
  • Quick & tested solution for ShellTea Is Back with a Vengeance: New Attacks Are Targeted at Hotels removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.