After being dormant for two years the FIN8 cybercrime group re-appeared with a new campaign aimed at stealing credit card data showing that the gang continues to evolve and adapt their tooling, according to a new report from Gigamon’s applied threat research (ATR) team. The team discovered a new reverse shell malware dubbed BADHATCH while analyzing variants of the ShellTea implant and PoSlurp memory scraper malware, designated as ShellTea.B and PoSlurp.B
The FIN8 is a financially motivated threat group that was first observed in 2016. The group specializes in tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. Typically initial infection begins with a malicious email campaign, using weaponized Microsoft Word document attachments aimed at enticing the user to enable macros. These macros execute a PowerShell command which downloads a second PowerShell script containing the shellcode of the first stage of a downloader, dubbed PowerSniff (aka PUNCHBUGGY).
The new tool described in Gigamon’s report shares similarities with PowerSniff, but also contains a number of new capabilities such as the use of a different command and control communication protocol and an added ability to inject commands into processes, as well as the flexibility for more tooling to be added at a later date if required.
“The BADHATCH sample begins with a self-deleting PowerShell script containing a large byte array of 64-bit shellcode that it copies into the PowerShell process’s memory and executes with a call to CreateThread. This script differs slightly from publicly reported samples in that the commands following the byte array are base64 encoded, possibly to evade security products. While previous analyses saw PowerSniff downloaded from online sources and executed, Gigamon ATR incident response partners recorded the attackers launching the initial PowerShell script via WMIC”, wrote the researchers.
Besides the networking behaviour, BADHATCH differs from PowerSniff in that it contains no methods for sandbox detection or anti-analysis features apart from some slight string obfuscation. It includes none of the environmental checks to evaluate if it is running on possible education or healthcare systems and has no observed built-in, long-term persistence mechanisms.
ShellTea is a memory-resident implant that can download and execute additional code. It serves as a stealthy foothold in the victim network allowing the FIN8 group to deploy additional payloads. Another analyzed sample - PoSlurp scraper - appears to be the most important component in the FIN8 toolkit as it retrieves credit card numbers as they pass through payment-card processing systems.
“This algorithm defines valid credit card numbers, and most scrapers check card numbers against it. Notably, PoSlurp does not run the Luhn algorithm on card numbers it collects. Verification may be performed offline, after the exfiltration of the card data, but either way, FIN8 knows the environment and PoSlurp targets the card processing software directly for scraping rather than arbitrarily scraping other process memory,’’ explained the researchers in their report.