Security research firm Gigamon has reported that the nasty cybercriminal group FIN8 may have reappeared in June after a two year silence. FIN8 is known for implementing malware on point of sale systems to steal credit card information and selling it on the dark web.
FIN8 appears to be back in business with a new twist on its old scheme. Dubbed “Badhatch,” the malware attack starts with customized phishing emails which deliver a malicious Microsoft Word document containing PowerShell scripts. The phishing email includes macros that users are asked to open. When the scripts are executed by FIN8, a backdoor is installed that allows FIN8 more control over the user’s system, to distribute tools to steal credit card information, such as a credit card scraper malware, which steals details of cards swiped through POS systems.
The researchers at Gigamon have outlined Badhatch from a technical standpoint, which is helpful for security folks.
Luckily, according to Gigamon, “[A]t the end of the day, the actors behind FIN8 are human and clearly fallible. While they may make rapid improvements to tools and procedures, we hope the technical and operational information shared here will help other organizations detect and disrupt FIN8 operations.”
Badhatch is designed to steal credit card information, and our experience has seen a dramatic rise in credit card scraping schemes. Those in the retail space may wish to consider taking a look at the research from Gigamon and being on the look-out for Badhatch.