Fin8 returns with Badhatch backdoor targeting US organizations
The backdoor evades security with TLS encrypted PowerShell commands
The Fin8 hacking group has been active since January 2016 and, after a long hiatus, has returned with an updated version of its backdoor to compromise companies in the insurance, retail, technology, and chemicals industries.
The hackers have targeted victims in a range of countries, including the US, Canada, South Africa, Puerto Rico, Panama, and Italy
According to a new Bitdefender report, researchers have named the new backdoor “Sardonic” after the project that encompasses it, the loader, and some additional scripts.
Researchers said Sardonic is a project still under development and includes several components. These were identified in a real-life attack and seem to be compiled just before the attack. They warned that the backdoor is “extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components.”
The latest updates to the backdoor include encrypting PowerShell commands using TLS by abusing a legitimate service called sslip.io. “While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection,” researchers said.
The state of ransomware in retail 2021
Insights into the current state of ransomware in the retail sectorFree download
There is a three-stage process to deploy Badhatch, a PowerShell script, a .NET loader, and downloader shellcode. Once deployed, the backdoor allows hackers to scan for victim networks, gain remote access to systems, and deploy other malicious payloads. The backdoor is deployed via social engineering or spear-phishing attacks.
There is also an updated persistence that uses the WMI event subscription mechanism to stay on victim’s systems. Fin8 has also tried to install the backdoor on Windows domain controllers in a bid to move around a victim’s network.
Researchers recommended that companies in target industries separate point-of-sale networks from those employees use, introduce cyber security awareness training for employees to help them spot phishing emails, and tune email security solutions to automatically discard malicious or suspicious attachments.
“Fin8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets,” researchers said.
The definitive guide to warehouse efficiency
Get your free guide to creating efficiencies in the warehouseFree download
The total economic impact™ of Datto
Cost savings and business benefits of using Datto Integrated SolutionsDownload now
Three-step guide to modern customer experience
Support the critical role CX plays in your businessFree download
The global state of the channelDownload now