Fin8 returns with Badhatch backdoor targeting US organizations

The backdoor evades security with TLS encrypted PowerShell commands

Security researchers have discovered improvements to hacking group Fin8’s Badhatch backdoor malware that enhances its persistence on victim’s systems and improves data collection.

The Fin8 hacking group has been active since January 2016 and, after a long hiatus, has returned with an updated version of its backdoor to compromise companies in the insurance, retail, technology, and chemicals industries. 

The hackers have targeted victims in a range of countries, including the US, Canada, South Africa, Puerto Rico, Panama, and Italy

According to a new Bitdefender report, researchers have named the new backdoor “Sardonic” after the project that encompasses it, the loader, and some additional scripts.

Researchers said Sardonic is a project still under development and includes several components. These were identified in a real-life attack and seem to be compiled just before the attack. They warned that the backdoor is “extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components.”

The latest updates to the backdoor include encrypting PowerShell commands using TLS by abusing a legitimate service called sslip.io. “While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection,” researchers said.

Related Resource

The state of ransomware in retail 2021

Insights into the current state of ransomware in the retail sector

Whitepaper front coverFree download

There is a three-stage process to deploy Badhatch, a PowerShell script, a .NET loader, and downloader shellcode. Once deployed, the backdoor allows hackers to scan for victim networks, gain remote access to systems, and deploy other malicious payloads. The backdoor is deployed via social engineering or spear-phishing attacks.

There is also an updated persistence that uses the WMI event subscription mechanism to stay on victim’s systems. Fin8 has also tried to install the backdoor on Windows domain controllers in a bid to move around a victim’s network.

Researchers recommended that companies in target industries separate point-of-sale networks from those employees use, introduce cyber security awareness training for employees to help them spot phishing emails, and tune email security solutions to automatically discard malicious or suspicious attachments.

“Fin8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets,” researchers said.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021
How do hackers choose their targets?
hacking

How do hackers choose their targets?

17 Sep 2021
Owner of DDoS for hire sites found guilty of hacking offences
distributed denial of service (DDOS)

Owner of DDoS for hire sites found guilty of hacking offences

17 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021
Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition
mergers and acquisitions

Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition

14 Sep 2021