25 July 2019

FIN8 gang deploys new malware in its latest credit card data-stealing campaign

FIN8 gang deploys new malware in its latest credit card data-stealing campaign

After being dormant for two years the FIN8 cybercrime group re-appeared with a new campaign aimed at stealing credit card data showing that the gang continues to evolve and adapt their tooling, according to a new report from Gigamon’s applied threat research (ATR) team. The team discovered a new reverse shell malware dubbed BADHATCH while analyzing variants of the ShellTea implant and PoSlurp memory scraper malware, designated as ShellTea.B and PoSlurp.B

The FIN8 is a financially motivated threat group that was first observed in 2016. The group specializes in tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. Typically  initial infection begins with a malicious email campaign, using weaponized Microsoft Word document attachments aimed at enticing the user to enable macros. These macros execute a PowerShell command which downloads a second PowerShell script containing the shellcode of the first stage of a downloader, dubbed PowerSniff (aka PUNCHBUGGY).

The new tool described in Gigamon’s report shares similarities with PowerSniff, but also contains a number of new capabilities such as the use of a different command and control communication protocol and an added ability to inject commands into processes, as well as the flexibility for more tooling to be added at a later date if required. 

“The BADHATCH sample begins with a self-deleting PowerShell script containing a large byte array of 64-bit shellcode that it copies into the PowerShell process’s memory and executes with a call to CreateThread. This script differs slightly from publicly reported samples in that the commands following the byte array are base64 encoded, possibly to evade security products. While previous analyses saw PowerSniff downloaded from online sources and executed, Gigamon ATR incident response partners recorded the attackers launching the initial PowerShell script via WMIC”, wrote the researchers.

Besides the networking behaviour, BADHATCH differs from PowerSniff in that it contains no methods for sandbox detection or anti-analysis features apart from some slight string obfuscation. It includes none of the environmental checks to evaluate if it is running on possible education or healthcare systems and has no observed built-in, long-term persistence mechanisms.

ShellTea is a memory-resident implant that can download and execute additional code. It serves as a stealthy foothold in the victim network allowing the FIN8 group to deploy additional payloads. Another analyzed sample - PoSlurp scraper - appears to be the most important component in the FIN8 toolkit as it retrieves credit card numbers as they pass through payment-card processing systems.

“This algorithm defines valid credit card numbers, and most scrapers check card numbers against it. Notably, PoSlurp does not run the Luhn algorithm on card numbers it collects. Verification may be performed offline, after the exfiltration of the card data, but either way, FIN8 knows the environment and PoSlurp targets the card processing software directly for scraping rather than arbitrarily scraping other process memory,’’ explained the researchers in their report.

Back to the list

Latest Posts

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required.
30 July 2019
Featured vulnerabilities
Multiple vulnerabilities in FreeBSD
Medium Patched | 21 Aug, 2019
Denial of service in Siemens SCALANCE X Switches
Medium Not Patched | 21 Aug, 2019
Multiple vulnerabilities in Siemens SCALANCE Products
Medium Not Patched | 21 Aug, 2019