FIN8 cybercrime group resurges with improved hacking tool

The financial scammers seem to be back from a hiatus.
Credit card
(Getty Images)

A financially-motivated hacking group that appeared to drop off the map a year-and-a-half ago is back with a new and improved backdoor, according to Bitdefender research published Wednesday.

Over the last year the criminal hacking group, known as FIN8, has primarily targeted companies in retail, technology, chemical and insurance industries with its updated point-of-sale malware, and has compromised organizations in the U.S., Canada, South Africa, Puerto Rico, Panama and Italy, according to the research. FIN8, which FireEye researchers first observed in operation in 2016, has historically targeted organizations in the retail, restaurant and hospitality industries with emails containing malicious Microsoft Word documents.

The updated backdoor, known as BADHATCH, has incorporated screen capturing, proxy tunneling and fileless execution, the researchers write. The backdoor has also likely added in credential-stealing capabilities, according to the research.

Bitdefender does not identify which organizations have been compromised.


An earlier version of BADHATCH, which researchers at Gigamon and Trend Micro observed in 2019, allowed attackers to target victims with other malware payloads, including PoSlurp and ShellTea, which enabled the hacking group to scrape for credit card data, access or delete files and lead to additional code execution.

In the latest round of activity, the hackers have since wrapped in efforts to evade detection by using TLS encryption to conceal their Powershell commands, according to Bitdefender.

When the group first emerged, it claimed hundreds of victims across North America, according to FireEye. But part of FIN8’s success is battering targets and then tapering off operations in order to maintain its stealth over the long term, according to Bitdefender.

“The FIN8 group is known for taking long breaks to improve [tactics, techniques and procedures] and increase their rate of success,” the Bitdefender researchers write in a blog.

It’s not the first time researchers have spotted the financially-motivated group reiterating on its tooling to run new attack campaigns. The hacking group attempted to breach a U.S. hotel using a new malware variant in 2019, according to previous Morphisec research.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts