backdoor

Fin8 Hackers Return With New BADHATCH Backdoor

FIN8 is a financially motivated threat group. After a one-and-a-half-year interruption, it has reactivated and provided a powerful backdoor version. Its upgraded features include screen capture, proxy tunneling, credential theft, and fileless execution.

Researchers discovered the latest attack activities by FIN8, which used a new version of the BADHATCH backdoor to target companies in the insurance, retail, technology, and chemical industries around the world. The affected countries include the United States, Canada, South Africa, Puerto Rico, Panama and Italy.

BadHatch is a custom of the group. It has an extensible backdoor function. The malware was used in the 2019 attack. The new version of BadHatch has significant improvements in durability, encryption, information collection, and lateral movement. The malware also adds the ability to download files, which can pave the way for various future attacks. BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security surveillance by using TLS encryption to hide Powershell commands.

was first disclosed by FireEye in 2016. Its main targets are the retail, hospitality and entertainment industries. It also uses and malicious tools such as PUNCHTRACK and BADHATCH to steal payment card data from a point-of-sale ( POS ) system.

C2 Commands in new Badhatch

badhatch command

Since April 2020, at least three different backdoor versions (v2.12 to 2.14) have been discovered, and the latest version of BADHATCH abuses a legitimate service called sslp.io. Download the PowerShell script, and then execute the shellcode containing the BADHATCH DLL.

In addition to being responsible for achieving persistence, PowerShell scripts are also responsible for privilege escalation to ensure that all commands after the script is executed are run as the SYSTEM user.

In addition, the second evasion technique adopted by involves communication with a command and control (C2) server masquerading as a legitimate HTTP request.

Distribution of affected countries

clip_image002

IOCs

C2
192.52.167.199
104.168.145.204
us-west.com
198.46.140.52
192.129.189.73


Samples
a9dcdf037d39e88bc71ae844971e63aa78379d50ce47e8aaad0e4b1baf6c7040
da89d50220da32060ef38546d1160162637ff72e3c3fa2268febca9331eb5adc
8637b972d5db5c4cb152b0a42f4866c9b574e68023b7620911af8e3d472d4701
5634140992891d2382fa103031b96023b75470ecd1bf0cf88006a45e63ef41bc
ee188b38b4ab978e71a84fe20b9609d888832f2f543a5ec6aa112d61450986d1
6f0f702fc0f0a5420a1dbaf1aa88b13b557bebc2631a4157b8e026d80f7651b2
32863daa615afbb3e90e3dad35ad47199050333a2aaed57e5065131344206fe1
e058280f4b15c1be6488049e0bdba555f1baf42e139b7251d6b2c230e28e0aef
aa07611ce06d7482c1d2d2f26c8721d6833718abd72360b81598bc2935811dcb
cb28e7980ba2f1c718cd96401b9290719e7748ab9987abcf9ad9e376f6f60b37