Fin8 returns with Badhatch backdoor targeting US organizations

The backdoor evades security with TLS encrypted PowerShell commands

Security researchers have discovered improvements to hacking group Fin8’s Badhatch backdoor malware that enhances its persistence on victim’s systems and improves data collection.

The Fin8 hacking group has been active since January 2016 and, after a long hiatus, has returned with an updated version of its backdoor to compromise companies in the insurance, retail, technology, and chemicals industries. 

The hackers have targeted victims in a range of countries, including the US, Canada, South Africa, Puerto Rico, Panama, and Italy

According to a new Bitdefender report, researchers have named the new backdoor “Sardonic” after the project that encompasses it, the loader, and some additional scripts.

Researchers said Sardonic is a project still under development and includes several components. These were identified in a real-life attack and seem to be compiled just before the attack. They warned that the backdoor is “extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components.”

The latest updates to the backdoor include encrypting PowerShell commands using TLS by abusing a legitimate service called sslip.io. “While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection,” researchers said.

Related Resource

The state of ransomware in retail 2021

Insights into the current state of ransomware in the retail sector

Whitepaper front coverFree download

There is a three-stage process to deploy Badhatch, a PowerShell script, a .NET loader, and downloader shellcode. Once deployed, the backdoor allows hackers to scan for victim networks, gain remote access to systems, and deploy other malicious payloads. The backdoor is deployed via social engineering or spear-phishing attacks.

There is also an updated persistence that uses the WMI event subscription mechanism to stay on victim’s systems. Fin8 has also tried to install the backdoor on Windows domain controllers in a bid to move around a victim’s network.

Researchers recommended that companies in target industries separate point-of-sale networks from those employees use, introduce cyber security awareness training for employees to help them spot phishing emails, and tune email security solutions to automatically discard malicious or suspicious attachments.

“Fin8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets,” researchers said.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Bridging the DevSecOps divide: Spotlight on key relationships
Whitepaper

Bridging the DevSecOps divide: Spotlight on key relationships

3 Dec 2021
Planned Parenthood cyber attack exposes data of 400,000 patients
cyber attacks

Planned Parenthood cyber attack exposes data of 400,000 patients

3 Dec 2021
Bridging the DevSecOps divide: Spotlight on zero trust
Whitepaper

Bridging the DevSecOps divide: Spotlight on zero trust

3 Dec 2021
Bridging the developer and security divide
Whitepaper

Bridging the developer and security divide

3 Dec 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021