Threat Management, Malware

FIN8 actors’ recent activity buoyed by new malware toolset: report

Researchers investigating FIN8 have shared their findings on a new reverse shell malware program that the cybercriminal group uses to establish command-and-control communications with infected machines. Additionally, they have released details on recently uncovered variants of the threat actor's ShellTea backdoor implant and PoSlurp point-of-sale malware.

FIN8 burst back on the scene last month when Morphisec disclosed its discovery of a new ShellTea variant distributed by the financially-motivated group. Today, Gigamon's Applied Threat Research team has followed up with its own blog post and research report describing FIN8's evolving toolsets.

For starters, says Gigamon, the group has unleashed BADHATCH, a reverse shell malware that has drawn comparisons to the PowerSniff/PUNCHBUGGY fileless downloader. According to the researchers, BADHATCH's first stage loads an embedded, second-stage DLL into memory. When this DLL is executed it is injected into a svchost.exe proecss or explorer.exe. It then begins beaconing to a hard-coded C2 IP using TLS encryption, sending over a host identification string as well as details on the infection machine's OS version and bitness. Next, a cmd.exe process is launched for the purpose of command execution. Available commands includee uploading and downloading, as well as termination of processes.

The Gigamon blog post continues: "BADHATCH uses the Windows IO Completion Port APIs and low-level encryption APIs from the Security Support Provider Interface to implement an asynchronous TLS-wrapped TCP/IP channel. As a side effect of this implementation, port 3885 will be opened and bound on localhost. The malware connects back to itself on this port and uses this as a loopback transmission channel in the course of encrypting and transferring data between threads."

Gigamon says the attackers were observed abusing the Windows Management Instrumentation Command-line utility (WMIC) to deliver the initial PowerShell script that commenced the BADHATCH infection.

BADHATCH can used in conjunction with the aforementioned ShellTea backdoor and PoSlurp POS malware variants, which Gigamon refers to as ShellTea.B and PoSlurp.B. The researchers detail the differences between the variants and their original predecessors in their blog post and report.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.