Threat actors notorious for their discreet operations often take extended breaks to avoid detection and continuously enhance their toolkit to slip under the radar of various cybersecurity protections. One such group, known as FIN8, is back in operation after a year-and-a-half hiatus, armed with an advanced backdoor that boasts upgraded functionalities, including screen capturing, proxy tunneling, credential theft, and fileless execution.
First identified in 2016 by FireEye, FIN8 has targeted the retail, hospitality, and entertainment sectors. The group utilizes a diverse range of tactics, such as spear-phishing and malicious tools—including PUNCHTRACK and BADHATCH—to exfiltrate payment card information from point-of-sale (PoS) systems.
Bitdefender researchers reported that the FIN8 group is recognized for its strategic pauses, allowing them to refine their TTPs and enhance their success rates. They noted that the BADHATCH malware is a highly sophisticated backdoor utilizing various evasion techniques. Notably, the latest iteration attempts to evade security measures by employing TLS encryption to obscure its PowerShell commands.
Since its discovery in 2019, BADHATCH has been deployed as an implant capable of executing commands received from remote servers. In addition to running attacker-provided instructions, it can inject malicious DLLs into active processes, gather system information, and exfiltrate data to its command-and-control server. Researchers have identified multiple variants of the BADHATCH backdoor since April 2020, highlighting that the latest version exploits a legitimate service, sslp.io, to facilitate its operations while circumventing detection.
This latest iteration achieves persistence through its PowerShell script, which also handles privilege escalation to run commands at the SYSTEM level post-execution. Additionally, FIN8 employs techniques that masquerade communications with the command-and-control server as legitimate HTTP requests, significantly complicating detection efforts.
According to Bitdefender, the recent attacks attributed to FIN8 have targeted a range of sectors, including insurance, retail, technology, and chemicals, affecting countries such as the U.S., Canada, South Africa, Puerto Rico, Panama, and Italy. With their continued evolution, FIN8 operators remain adept at refining their tools and strategies to elude detection, underscoring the necessity for organizations to compartmentalize their networks and rigorously filter emails that may contain malicious content.
