Fin8 Hackers Return With New BADHATCH Backdoor

FIN8 is a financially motivated threat group. After a one-and-a-half-year interruption, it has reactivated and provided a powerful backdoor version. Its upgraded features include screen capture, proxy tunneling, credential theft, and fileless execution.

Researchers discovered the latest attack activities by FIN8, which used a new version of the BADHATCH backdoor to target companies in the insurance, retail, technology, and chemical industries around the world. The affected countries include the United States, Canada, South Africa, Puerto Rico, Panama and Italy.

BadHatch is a custom of the group. It has an extensible backdoor function. The malware was used in the 2019 attack. The new version of BadHatch has significant improvements in durability, encryption, information collection, and lateral movement. The malware also adds the ability to download files, which can pave the way for various future attacks. BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security surveillance by using TLS encryption to hide Powershell commands.

was first disclosed by FireEye in 2016. Its main targets are the retail, hospitality and entertainment industries. It also uses and malicious tools such as PUNCHTRACK and BADHATCH to steal payment card data from a point-of-sale ( POS ) system.

C2 Commands in new Badhatch

badhatch command

Since April 2020, at least three different backdoor versions (v2.12 to 2.14) have been discovered, and the latest version of BADHATCH abuses a legitimate service called Download the PowerShell script, and then execute the shellcode containing the BADHATCH DLL.

In addition to being responsible for achieving persistence, PowerShell scripts are also responsible for privilege escalation to ensure that all commands after the script is executed are run as the SYSTEM user.

In addition, the second evasion technique adopted by involves communication with a command and control (C2) server masquerading as a legitimate HTTP request.

Distribution of affected countries