NewsSecurity News

FIN8 Returns with BADHATCH Malware

Jason Davies 3083 Views 0 Comments 1 min read

Cyber crime organisation FIN8 have evolved their techniques used to steal consumers credit card information.

FIN8 was first identified in 2016 for their spear-phishing activity, targeting over 150 organisations with their financially-motivated attacks. Following a period of relative dormancy, the group have recently begun utilising their variant of the ShellTea attack designed to install Point of Sale (PoS) malware on hospitality companies.

Research from cyber security firm Gigamon has uncovered FIN8’s new BADHATCH reverse shell malware which infects a network via a more traditional phishing attack. Once on the system BADHATCH utilizes its file transfer functionality, allowing FIN8 to further infect networks with other attacks such as the aforementioned ShellTea virus, in order to steal consumers payment information.

On startup, and every 5 minutes thereafter, the sample beacons to a hardcoded command and control (C2) IP (149.28.203[.]102) using TLS encryption, and sends a host identification string derived from several system configuration details and formatted as %08X-%08X-%08X-%08X-%08X-SH. Only the one hardcoded IP address and no C2 domains were observed,” the report said.

Indicators of Compromise

SHA-256

  • 385538451e59f630db6f1b367aacfdbb85b7d730210fc6d5b2bee7037f0362a5
  • 5024306ade133b0ebd415f01cf64c23a586c99450afa9b79176f87179d78c51d
  • 8c6fe4c8b000e87b756d5fd0b53d3e230ceafa8928851a91dac42445c0bab8e3
  • c5642641064afc79402614cb916a1e3bd5ddd4932779709e38db64d6cc561cd5
  • cc952950a73909a655044dbb87f85f66d44d1d4e3a1e096777bbc938a62bd080
  • ffc133ea83deac94bce5db1a420257304931e6d3cfb82c6d9e50a2a98f43d310

IPs

  • 104.248.9.143
  • 149.28.203.102
  • 198.199.105.192

Domain

  • ashkidiore.org
  • asilofsen.net
  • brookmensoklinherz.org
  • druhanostex.net
  • kapintarama.net
  • letterinklandoix.net
  • manrodoerkes.org
  • moreflorecast.org
  • nduropasture.net
  • nduropasture.net
  • oklinjgreirestacks.biz
  • popskentown.com
  • preploadert.net
  • starwoodhotels.pw
  • subarnakan.org
  • supratimewest.biz
  • supratimewest.com
  • troxymuntisex.org
  • troxymuntisex.org
  • unkerdubsonics.org
  • vortexclothings.biz
  • vseflijkoindex.net
  • www.starwoodhotels.pw

Jason Davies

I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.