FIN8 Starts to Use New Malware After Returning to Business

Delaware, USA – July 24, 2019 – The financially motivated cybergang has returned after a two-year absence with a new backdoor and is actively attacking targets in the hospitality and retail sectors. The FIN8 group, which appeared in early 2016, uses backdoors to gain access to the victims’ network and to install POS-malware on key systems. This summer, after a long break, the attackers resumed their attacks, adding to their arsenal never-seen-before malware discovered and analyzed by Gigamon security company. Badhatch is a new reverse shell that is used by attackers for reconnaissance and installing additional malware. Unlike the other tools of the group, it does not use sandbox evasion techniques, and that can indicate that malware is deployed after the initial compromise when there is no need to check the environment. Typically, during an attack, FIN8 installs several backdoors that receive instructions from different command-and-control servers using different communications channels. Badhatch has a number of similar features with another tool of the group, Punchbuggy malware, but it has some new features, such as the ability to inject into explorer.exe or svchost.exe, the start interactive shell, and download files to a user-supplied path. Also, attackers can add new features to Badhatch in the next versions.

Hundreds of organizations around the world suffered from the attacks of FIN8, and the group continues to evolve. In the light of the enormous fines for violating the General Data Protection Regulation, the group poses a threat to companies no less than the frequent attacks of Magecart groups on web resources. You can study the known techniques of the group in the Threat Detection Marketplace: https://tdm.socprime.com/att-ck/