ShellTea is a malicious application that could be used for attacks on PoS (Point-of-Sale) systems that remain to be one of the top cybercriminals’ targets. This sophisticated tool might be able to hide from standard analysis tools by hashing most of its functions. Consequently, detecting it may not be an easy task. While hiding in a system, it can perform various tasks, such as launch executable files, execute PowerShell commands, spy on the victim, and so on. If you want to know who could be targeted by this threat, how the malware works, and how it could be spread, we invite you to read our full report. If you have any questions, you can ask them in the comments section located at the end of this page.
It is vital to mention that ShellTea is not a new malicious application that has just been detected. The infection was active back in 2017 when it was used for attacks on PoS systems. This year, researchers came across a more sophisticated version of it that was targeted at the hotel industry. Thus, the hackers behind this malware should target computer users working at hotels and similar businesses. In other words, if you are a regular computer user and you do not work at a hotel, you should not worry about receiving ShellTea.
Since the malicious application might be capable of avoiding detection and may detect if it is being monitored, it is essential to have a reputable antimalware tool that would be capable of guarding a system against such threats. Another thing that is always advisable to owners of companies that could be targeted by hackers is educating their employees about how to void malware. It is believed that ShellTea was being spread with phishing attacks. Meaning, targeted victims could have received emails that asked them to open a malicious attachment or a link.
For example, a phishing email created for a hotel could claim it comes from the company’s client. The message of such an email could say that a person received a wrong bill, and the attached file is the discussed receipt. In such situations, it is important not to rush to open the attached file. First, it is best to check if such a client exists and other details that could confirm the email is legit. Of course, it might be quicker to simply scan the attached file with a reliable antimalware tool that could tell if it is infected and help erase it safely if it appears to be harmful.
Once ShellTea enters a system, it may create a Registry entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run directory to make an infected device launch it after each restart. The malware may do so by manipulating the PowerShell mechanism. As soon as it settles in, the infection should be able to collect information about the user and the network his computer is connected to. Also, it is said that the malware might be able to create files and execute them as processes, load executable files, and so on. Since the last version of ShellTea was used to attack PoS systems, it is likely that the new variant could be used for such a purpose too, in addition to gathering information.
To conclude, ShellTea is a vicious infection that might slip in if a user falls for a phishing scam. The consequences of a company’s computer getting infected with such a threat could be severe as it may allow hackers to gain access to its network, sensitive information, and so on. This could ruin an organization’s reputation and cause tons of other problems. Thus, it is safe to say that organizations should invest in protecting their systems as soon as possible and not to wait for something to happen.