BADHATCH

Financially motivated hacking groups are among the most interesting subjects for malware researchers since they are known to employ advanced obfuscation and anti-debugging techniques in their projects. However, the FIN8 group has surprised researchers with the release of a rather interesting piece of malware that does not even attempt to avoid sandboxes or other virtualized environments used for malware debugging.

FIN8 Use Spear-Phishing Emails to Bring BADHATCH to Targets

The malware in question is called BADHATCH, and it is likely to be delivered via spear-phishing emails that contain a document that recipients are likely to see as important. However, the document is simply a decoy for an embed PowerShell script that is meant to unpack the BADHATCH malware and initialize it. In order for this to happen, the recipient must allow Microsoft Office to execute macro scripts – this is where the attackers may use social engineering techniques to convince them that they need to permit this to view the document's contents.

BADHATCH May Bring Information Theft and Memory Scraping Malware

The PowerShell script in question is encoded via base64, probably in an attempt to evade antivirus scanners. However, this is a rather simple obfuscation trick, and any reputable anti-malware application should be able to easily sniff out the suspicious piece of code. Once the BADHATCH is deployed successfully, it may connect to the attacker's control server and wait for instructions. It would appear that the BADHATCH serves as a reverse shell that enables the attackers to execute remote commands on the compromised host. They are likely to use this opportunity to collect system details, as well as to install additional payloads on the compromised host. One of the campaigns that involve the BADHATCH also involved another FIN8-made tool – the PoSlurp memory scraper that looks for financial details.