FIN8 gang uses new Badhatch malware to steal map data

The cybercriminal grouping FIN8 conducts regular malicious campaigns. Their main task is to steal credit cards’ data.

The group has been strongly financially motivated.

Currently, Gigamon’s researchers have discovered Badhatch malware, which has never been noticed anywhere before. FIN8 cybercriminals have used this very program in their recent operations.

Badhatch is responsible for the initial phase of the attack – its task is to research victim’s network.

“BADHATCH’s first stage loads an embedded, second-stage DLL into memory. When this DLL is executed it is injected into a svchost.exe proecss or explorer.exe. It then begins beaconing to a hard-coded C2 IP using TLS encryption, sending over a host identification string as well as details on the infection machine’s OS version and bitness”, — say in Gigamon.

He can also install the PoSlurp program, designed to intercept data of payment cards that pass through POS terminals.

Read also: German banks refuse to support authorization by one-time SMS-code

Gigamon specialists conducted reverse engineering of the malware, making it possible to establish that FIN8 uses it in conjunction with other custom backdoors.

“Badhatch differs as it uses an alternative and atypical channel of communication with the command server C & C”, – experts explain.

FIN8 cybercriminals are trying to deploy multiple backdoors on the victim’s network to create an additional foothold. This helps in the case of detection of the basic malicious component.