24 July 19, 11:00
(This post was last modified: 24 July 19, 11:01 by silversurfer.)
Quote:The financially motivated threat group known as FIN8 has recently reemerged after being somewhat dormant, according to new research from Gigamon’s applied threat research (ATR) team.
Researchers have published findings that show FIN8 continues to evolve and adapt its tools. As part of the threat research, ATR discovered a reverse shell from FIN8, dubbed BADHATCH, while observing variants of the ShellTea implant and PoSlurp memory scraper malware. In the report, ATR also compares BADHATCH to other popular malware variants, such as PowerSniff.
“The BADHATCH sample begins with a self-deleting PowerShell script containing a large byte array of 64-bit shellcode that it copies into the PowerShell process’s memory and executes with a call to CreateThread. This script differs slightly from publicly reported samples in that the commands following the byte array are base64 encoded, possibly to evade security products. While previous analyses saw PowerSniff downloaded from online sources and executed, Gigamon ATR incident response partners recorded the attackers launching the initial PowerShell script via WMIC,” researchers wrote.
In its initial stage, BADHATCH locates the embedded DLL in order to execute the injection, which creates a local event job. “On startup, and every 5 minutes thereafter, the sample beacons to a hardcoded command and control (C2) IP (149.28.203[.]102) using TLS encryption, and sends a host identification string derived from several system configuration details and formatted as %08X-%08X-%08X-%08X-%08X-SH. Only the one hardcoded IP address and no C2 domains were observed,” the report said.
SOURCE: https://www.infosecurity-magazine.com/ne...-badhatch/