Researchers investigating FIN8 have shared their findings on a new reverse shell malware program that the cybercriminal group uses to establish command-and-control communications with infected machines. Additionally, they have released details on recently uncovered variants of the threat actor’s ShellTea backdoor implant and PoSlurp point-of-sale malware.
FIN8 burst back on the scene last month when Morphisec disclosed its discovery of a new ShellTea variant distributed by the financially-motivated group. Today, Gigamon’s Applied Threat Research team has followed up with its own blog post and research report describing FIN8’s evolving toolsets.
For starters, says Gigamon, the group has unleashed BADHATCH, a reverse shell malware that has drawn comparisons to the PowerSniff/PUNCHBUGGY fileless downloader. According to the researchers, BADHATCH’s first stage loads an embedded, second-stage DLL into memory. When this DLL is executed it is injected into a svchost.exe proecss or explorer.exe. It then begins beaconing to a hard-coded C2 IP using TLS encryption, sending over a host identification string as well as details on the infection machine’s OS version and bitness. Next, a cmd.exe process is launched for the purpose of command execution. Available commands includee uploading and downloading, as well as termination of processes.
The Gigamon blog post continues: “BADHATCH uses the Windows IO Completion Port APIs and low-level encryption APIs from the Security Support Provider Interface to implement an asynchronous TLS-wrapped TCP/IP channel. As a side effect of this implementation, port 3885 will be opened and bound on localhost. The malware connects back to itself on this port and uses this as a loopback transmission channel in the course of encrypting and transferring data between threads.”
Gigamon says the attackers were observed abusing the Windows Management Instrumentation Command-line utility (WMIC) to deliver the initial PowerShell script that commenced the BADHATCH infection.
BADHATCH can used in conjunction with the aforementioned ShellTea backdoor and PoSlurp POS malware variants, which Gigamon refers to as ShellTea.B and PoSlurp.B. The researchers detail the differences between the variants and their original predecessors in their blog post and report.