The financially motivated threat group known as FIN8 has recently reemerged after being somewhat dormant, according to new research from Gigamon’s applied threat research (ATR) team.
Researchers have published findings that show FIN8 continues to evolve and adapt its tools. As part of the threat research, ATR discovered a reverse shell from FIN8, dubbed BADHATCH, while observing variants of the ShellTea implant and PoSlurp memory scraper malware. In the report, ATR also compares BADHATCH to other popular malware variants, such as PowerSniff.
“The BADHATCH sample begins with a self-deleting PowerShell script containing a large byte array of 64-bit shellcode that it copies into the PowerShell process’s memory and executes with a call to CreateThread. This script differs slightly from publicly reported samples in that the commands following the byte array are base64 encoded, possibly to evade security products. While previous analyses saw PowerSniff downloaded from online sources and executed, Gigamon ATR incident response partners recorded the attackers launching the initial PowerShell script via WMIC,” researchers wrote.
In its initial stage, BADHATCH locates the embedded DLL in order to execute the injection, which creates a local event job. “On startup, and every 5 minutes thereafter, the sample beacons to a hardcoded command and control (C2) IP (149.28.203[.]102) using TLS encryption, and sends a host identification string derived from several system configuration details and formatted as %08X-%08X-%08X-%08X-%08X-SH. Only the one hardcoded IP address and no C2 domains were observed,” the report said.
BADHATCH reportedly contains no methods for sandbox detection, differentiating it from PowerSniff. Additionally, “it includes none of the environmental checks to evaluate if it is running on possible education or healthcare systems and has no observed built-in, long-term persistence mechanisms.”
One of the more important tools in the FIN8 toolkit is the component that retrieves credit card numbers as they pass through payment-card processing systems, the report said. Breaking down FIN8’s information collection process, the researchers explained that the malicious actors first deploy the non-persistent BADHATCH reverse shell to the server and then issue commands to each POS system in a target list before executing the PoSlurp.B PowerShell script.