Researchers investigating FIN8 have shared their findings on a new reverse shell malware program that the cybercriminal group uses to establish command-and-control communications with infected machines. Additionally, they have released details on recently uncovered variants of the threat actor's ShellTea backdoor implant and PoSlurp point-of-sale malware.

FIN8 burst back on the scene last month when Morphisec disclosed its discovery of a new ShellTea variant distributed by the financially-motivated group. Today, Gigamon's Applied Threat Research team has followed up with its own blog post and research report describing FIN8's evolving toolsets.

For starters, says Gigamon, the group has unleashed BADHATCH, a reverse shell malware that has drawn comparisons to the PowerSniff/PUNCHBUGGY fileless downloader. According to the researchers, BADHATCH's first stage loads an embedded, second-stage DLL into memory. When this DLL is executed it is injected into a svchost.exe proecss or explorer.exe. It then begins beaconing to a hard-coded C2 IP using TLS encryption, sending over a host identification string as well as details on the infection machine's OS version and bitness. Next, a cmd.exe process is launched for the purpose of command execution. Available commands includee uploading and downloading, as well as termination of processes.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.