Fin8 returns with Badhatch backdoor targeting US organizations

Malware in code
(Image credit: Shutterstock)

Security researchers have discovered improvements to hacking group Fin8’s Badhatch backdoor malware that enhances its persistence on victim’s systems and improves data collection.

The Fin8 hacking group has been active since January 2016 and, after a long hiatus, has returned with an updated version of its backdoor to compromise companies in the insurance, retail, technology, and chemicals industries.

The hackers have targeted victims in a range of countries, including the US, Canada, South Africa, Puerto Rico, Panama, and Italy

According to a new Bitdefender report, researchers have named the new backdoor “Sardonic” after the project that encompasses it, the loader, and some additional scripts.

Researchers said Sardonic is a project still under development and includes several components. These were identified in a real-life attack and seem to be compiled just before the attack. They warned that the backdoor is “extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components.”

The latest updates to the backdoor include encrypting PowerShell commands using TLS by abusing a legitimate service called sslip.io. “While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection,” researchers said.

RELATED RESOURCE

The state of ransomware in retail 2021

Insights into the current state of ransomware in the retail sector

FREE DOWNLOAD

There is a three-stage process to deploy Badhatch, a PowerShell script, a .NET loader, and downloader shellcode. Once deployed, the backdoor allows hackers to scan for victim networks, gain remote access to systems, and deploy other malicious payloads. The backdoor is deployed via social engineering or spear-phishing attacks.

There is also an updated persistence that uses the WMI event subscription mechanism to stay on victim’s systems. Fin8 has also tried to install the backdoor on Windows domain controllers in a bid to move around a victim’s network.

Researchers recommended that companies in target industries separate point-of-sale networks from those employees use, introduce cyber security awareness training for employees to help them spot phishing emails, and tune email security solutions to automatically discard malicious or suspicious attachments.

“Fin8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets,” researchers said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.