Discovering BADHATCH and a Detailed Look at FIN8’s Tooling


Discovering BADHATCH and a Detailed Look at FIN8’s Tooling (Jul 23, 2019)

The financially-motivated threat group “FIN8,” which was first identified by FireEye researchers in 2016, have added a new tool to their malicious arsenal, according to Gigamon researchers. The new tool, dubbed “BADHATCH,” is likely distributed through malspam emails and is capable of reverse shell functionality and transferring files. The emails contain Microsoft Word document attachments with malicious macros that, once enabled, will execute a PowerShell command to begin the BADHATCH infection process. Researchers believe that malspam email is likely the initial infection method, however, as of this writing they were unable to retrieve a document sample.

Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these types of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.