FIN8 Resurfaces with Revamped Backdoor Malware

fin8 attacks

The financial cyber-gang is running limited attacks ahead of broader offensives on point-of-sale systems.

The FIN8 cyberattack group has resurfaced after a period of relative quiet, researchers have found. The gang is using new versions of the BadHatch backdoor to compromise companies in the chemical insurance, retail and technology industries.

The attacks have been seen hitting organizations around the world, mainly in Canada, Italy, Panama, Puerto Rico, South Africa and the United States, according to an analysis from Bitdefender this week.

FIN8 is a financially motivated threat group whose typical mode of attack has been to steal payment-card data from point-of-sale (PoS) environments, particularly those of retailers, restaurants and the hotel industry. The group has been active since at least 2016, but its activity is characterized by periods of dormancy.

In this case, the last time FIN8 hit targets was mid-2019, according to Bogdan Botezatu, director of threat research at Bitdefender.

“They have been dormant for 18 months (they made big splashes in 2017 and 2019), although they have been running tests on small pools of targets,” he told Threatpost.

FIN8 Tests Waters with Limited Attacks

So far, Bitdefender has recently identified specific attacks on seven targets during its monitoring of the command-center infrastructure used in previous FIN8 attacks.

“While this may sound diminutive, FIN8 is known to get back in business with small tests on a limited pool of victims before they go broad,” Botezatu told Threatpost. “This is a mechanism to validate security on a small subset before moving attacks to production.”

There have been other observed pockets of limited testing in 2020, he added.

This pilot-program approach usually stems from group refining or adding to its weapons arsenal. And indeed, the latest wave of activity features a new version of the BadHatch backdoor.

Over the course of 2020 and this year, there have been three different “limited release” campaigns using revamped versions of BadHatch.

“The move from the legacy versions 2.12 to current version 2.14 started in mid-2020 (version 2.14 was deployed during Christmas 2020),” Botezatu said.

The Evolving BadHatch Malware

BadHatch is a custom FIN8 malware that was also used in the 2019 attacks. It has now been souped up, with marked improvements in persistence, encryption, information-gathering and the ability to perform lateral movement, according to a Bitdefender analysis released on Wednesday.

The latest backdoor version (v. 2.14), for instance, abuses sslip.io – a service that provides free IP-to-domain mapping to make SSL certificate generation easier.  BatchHatch is using the encryption to conceal PowerShell commands while in transit. While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection, according to Botezatu.

“This prevents security and some monitoring solutions from identifying and blocking PowerShell scripts during delivery from the command-and-control server (C2),” he told Threatpost. “This is particularly important in achieving stealth and, to a larger degree, persistence.”

The malware has added to its snooping capabilities too, with the ability to learn more about the victim’s network by grabbing screenshots, for instance – this eventually better allows lateral movement within an organization’s environment.

“The lateral movement part is critical, as it targets POS networks,” explained Botezatu. “This is because the malware is usually delivered via malicious attachments. The target victim can be anyone on the network and the malware has to jump from one endpoint to another until it reaches the real targets on the network – POS devices.”

The latest BadHatch version also allows file downloads, which could pave the way for different kinds of attacks in the future, beyond harvesting credit-card data.

“BadHatch has always been correlated with POS attacks, but it has extended backdoor capabilities that let operators perform lateral movement and also has the ability to download additional payloads from specified locations,” Botezatu said. “These payloads can play multiple roles, depending on the attackers’ agenda.”

Like most persistent and skilled cybercrime actors, FIN8 operators are constantly refining their tools and tactics – but they do fall into predictable rhythms. The latest activity is an indication to expect wider attacks soon, according to the researcher.

“FIN8 are the apex predators of the financial fraud ecosystem,” Botezatu said. “They take long breaks to perfect their tools and invest significant resources in circumventing traditional security situations. They are extremely focused on ‘living off the land’ attacks and only start targeting victims after they have battle-tested their tools.”

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:

Suggested articles

Grief Ransomware Targets NRA

Grief, a ransomware group with ties to Russia-based Evil Corp, claims to have stolen data from the gun-rights group and has posted files on its dark web site. 

WordPress Plugin Bug Lets Subscribers Wipe Sites

The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable WordPress site, deleting nearly all database content and uploaded media.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.