S1081 BADHATCH
BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.12
| Item | Value |
|---|---|
| ID | S1081 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 01 August 2023 |
| Last Modified | 11 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | BADHATCH can utilize the CMSTPLUA COM interface and the SilentCleanup task to bypass UAC.2 |
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | BADHATCH can impersonate a lsass.exe or vmtoolsd.exe token.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BADHATCH can use HTTP and HTTPS over port 443 to communicate with actor-controlled C2 servers.12 |
| enterprise | T1071.002 | File Transfer Protocols | BADHATCH can emulate an FTP server to connect to actor-controlled C2 servers.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | BADHATCH can utilize powershell.exe to execute commands on a compromised host.12 |
| enterprise | T1059.003 | Windows Command Shell | BADHATCH can use cmd.exe to execute commands on a compromised host.12 |
| enterprise | T1482 | Domain Trust Discovery | BADHATCH can use nltest.exe /domain_trusts to discover domain trust relationships on a compromised machine.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | BADHATCH can beacon to a hardcoded C2 IP address using TLS encryption every 5 minutes.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | BADHATCH can use WMI event subscriptions for persistence.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | BADHATCH can exfiltrate data over the C2 channel.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | BADHATCH has the ability to delete PowerShell scripts from a compromised machine.1 |
| enterprise | T1105 | Ingress Tool Transfer | BADHATCH has the ability to load a second stage malicious DLL file onto a compromised machine.1 |
| enterprise | T1106 | Native API | BADHATCH can utilize Native API functions such as, ToolHelp32 and Rt1AdjustPrivilege to enable SeDebugPrivilege on a compromised machine.1 |
| enterprise | T1046 | Network Service Discovery | BADHATCH can check for open ports on a computer by establishing a TCP connection.2 |
| enterprise | T1135 | Network Share Discovery | BADHATCH can check a user’s access to the C$ share on a compromised machine.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.009 | Embedded Payloads | BADHATCH has an embedded second stage DLL payload within the first stage of the malware.1 |
| enterprise | T1027.010 | Command Obfuscation | BADHATCH malicious PowerShell commands can be encoded with base64.2 |
| enterprise | T1027.015 | Compression | BADHATCH can be compressed with the ApLib algorithm.2 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | BADHATCH can use net.exe group "domain admins" /domain to identify Domain Administrators.2 |
| enterprise | T1057 | Process Discovery | BADHATCH can retrieve a list of running processes from a compromised machine.2 |
| enterprise | T1055 | Process Injection | BADHATCH can inject itself into an existing explorer.exe process by using RtlCreateUserThread.12 |
| enterprise | T1055.001 | Dynamic-link Library Injection | BADHATCH has the ability to execute a malicious DLL by injecting into explorer.exe on a compromised machine.1 |
| enterprise | T1055.004 | Asynchronous Procedure Call | BADHATCH can inject itself into a new svchost.exe -k netsvcs process using the asynchronous procedure call (APC) queue.12 |
| enterprise | T1090 | Proxy | BADHATCH can use SOCKS4 and SOCKS5 proxies to connect to actor-controlled C2 servers. BADHATCH can also emulate a reverse proxy on a compromised machine to connect with actor-controlled C2 servers.2 |
| enterprise | T1620 | Reflective Code Loading | BADHATCH can copy a large byte array of 64-bit shellcode into process memory and execute it with a call to CreateThread.1 |
| enterprise | T1018 | Remote System Discovery | BADHATCH can use a PowerShell object such as, System.Net.NetworkInformation.Ping to ping a computer.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | BADHATCH can use schtasks.exe to gain persistence.2 |
| enterprise | T1113 | Screen Capture | BADHATCH can take screenshots and send them to an actor-controlled C2 server.2 |
| enterprise | T1082 | System Information Discovery | BADHATCH can obtain current system information from a compromised machine such as the SHELL PID, PSVERSION, HOSTNAME, LOGONSERVER, LASTBOOTUP, OS type/version, bitness, and hostname.12 |
| enterprise | T1049 | System Network Connections Discovery | BADHATCH can execute netstat.exe -f on a compromised machine.2 |
| enterprise | T1033 | System Owner/User Discovery | BADHATCH can obtain logged user information from a compromised machine and can execute the command whoami.exe.2 |
| enterprise | T1124 | System Time Discovery | BADHATCH can obtain the DATETIME and UPTIME from a compromised machine.2 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.002 | Pass the Hash | BADHATCH can perform pass the hash on compromised machines with x64 versions.2 |
| enterprise | T1102 | Web Service | BADHATCH can be utilized to abuse sslip.io, a free IP to domain mapping service, as part of actor-controlled C2 channels.2 |
| enterprise | T1047 | Windows Management Instrumentation | BADHATCH can utilize WMI to collect system information, create new processes, and run malicious PowerShell scripts on a compromised machine.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0061 | FIN8 | 2 |
References
-
Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling. Retrieved September 8, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩