ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool BadHatch

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: BadHatch

NamesBadHatch
CategoryMalware
TypePOS malware, Backdoor, Info stealer
Description(Trend Micro) Security researchers found threat group FIN8 reappearing after two years with a new point-of-sale (PoS) malware named Badhatch, which is designed to steal credit card information. Researchers from Gigamon analyzed the sample and found similarities with PunchBuggy, but Badhatch features new capabilities that allow it to scan for victim networks, provide attackers with remote access, install a backdoor, and deliver other modified malware payloads such as PoSlurp and PunchBuggy, among other features.

Badhatch begins infection much like its predecessor PowerSniff, by sending a customized phishing email via a weaponized Word document. Once the victim enables the macros, it executes PowerShells and shellcode scripts for PowerSniff, installing a backdoor in the process. Its network scan capability makes it different from PowerSniff; it is unable to check if the systems infected is in the education or healthcare sector. The researchers also noted that it lacks the sandbox detection and anti-virus analysis evasion features, as well as the long-term persistence tools that its predecessor had. However, they note that this also serves as an advantage as the attackers can execute the routine after infection and have greater control on how the malware can be used, thereby avoiding automated sandboxing features.
Information<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fin8-reemerges-with-new-pos-malware-badhatch>
<ttps://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf>
<https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/>
MITRE ATT&CK<https://attack.mitre.org/software/S1081>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:BADHATCH>

Last change to this tool card: 30 November 2023

Download this tool card in JSON format

All groups using tool BadHatch

ChangedNameCountryObserved

APT groups

 FIN8[Unknown]2016-Dec 2022 

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]