Fin8 returns with Badhatch backdoor targeting US organizations

The backdoor evades security with TLS encrypted PowerShell commands

Security researchers have discovered improvements to hacking group Fin8’s Badhatch backdoor malware that enhances its persistence on victim’s systems and improves data collection.

The Fin8 hacking group has been active since January 2016 and, after a long hiatus, has returned with an updated version of its backdoor to compromise companies in the insurance, retail, technology, and chemicals industries. 

The hackers have targeted victims in a range of countries, including the US, Canada, South Africa, Puerto Rico, Panama, and Italy

According to a new Bitdefender report, researchers have named the new backdoor “Sardonic” after the project that encompasses it, the loader, and some additional scripts.

Researchers said Sardonic is a project still under development and includes several components. These were identified in a real-life attack and seem to be compiled just before the attack. They warned that the backdoor is “extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components.”

The latest updates to the backdoor include encrypting PowerShell commands using TLS by abusing a legitimate service called sslip.io. “While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection,” researchers said.

Related Resource

The state of ransomware in retail 2021

Insights into the current state of ransomware in the retail sector

Whitepaper front coverFree download

There is a three-stage process to deploy Badhatch, a PowerShell script, a .NET loader, and downloader shellcode. Once deployed, the backdoor allows hackers to scan for victim networks, gain remote access to systems, and deploy other malicious payloads. The backdoor is deployed via social engineering or spear-phishing attacks.

There is also an updated persistence that uses the WMI event subscription mechanism to stay on victim’s systems. Fin8 has also tried to install the backdoor on Windows domain controllers in a bid to move around a victim’s network.

Researchers recommended that companies in target industries separate point-of-sale networks from those employees use, introduce cyber security awareness training for employees to help them spot phishing emails, and tune email security solutions to automatically discard malicious or suspicious attachments.

“Fin8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets,” researchers said.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022