FIN8 threat groups reappears with new malware toolset


Researchers at Gigamon have uncovered a new form of malware being utilised by the financially-motivated threat group. 

The applied threat research team (ATR) at Gigamon recently discovered that the threat group FIN8 had re-emerged in June following its disappearance two years ago. FIN8 typically targets point-of-sale systems to steal credit card information via malware attacks.

FIN8 has continued to evolve and adapt its tools, and a new reverse shell dubbed BADHATCH was discovered by the ATR. 

The researchers wrote:

“We analyzed variants of the ShellTea implant and PoSlurp memory scraper malware, designated ShellTea.B and PoSlurp.B. One of the most interesting samples analyzed appears to be a previously unreported tool, BADHATCH, that provides file transfer and reverse shell functionality.”

BADHATCH is set up to explore victims networks and distribute further malware such as PoSlurp. The researchers uncovered its capabilities after reverse engineering the malware, and discovered that BADHATCH worked alongside other backdoors utilised by FIN8.

It is believed that BADHATCH attacks begin with customised phishing email that delivers a malicious document containing PowerShell scripts, and once executed the scripts install a backdoor. 

Researchers noted that BADHATCH is similar to PowerSniff, a previous FIN8 malware campaign, however this time BADHATCH utilises a different command and control communication protocol and also has the ability to inject commands into processes. 

BADHATCH contains no methods for sandbox detection, and does not include “none of the environmental checks to evaluate if it is running on possible education or healthcare systems and as no observed built-in, long-term persistence mechanisms”.

“Badhatch is complimentary in nature to their previous tools, providing an additional remote access capability using an alternate command and control channel,” said Justin Warner, director of applied threat research at Gigamon. 

“The constant evolution and modification of their toolset speaks to the adaptiveness and likely dynamic nature of the group, and certainly sets them apart from many financially-motivated actors that leverage the same tools in the same exact configurations for every campaign.

“Ultimately, FIN8 and all organized cybercrime groups are looking to make as much money as possible.”

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.