Home Malware Programs Malware BADHATCH

BADHATCH

Posted: July 24, 2019

BADHATCH is a backdoor Trojan that can provide attackers with shell-based commands for controlling infected systems and downloading other threats. Traditionally, its presence is symptomatic of Point-of-Sale-based attacks that target credit and debit card information for theft. Implementing comprehensive network security protocols and keeping anti-malware tools available for removing BADHATCH and any related threat is strongly recommended.

Trojans that Don't Stay Long to Do Their Job

System persistence is one of the supporting pillars of nearly all Trojans, but there are exceptions to this rule. For instance, BADHATCH – a backdoor Trojan that's part of the cyber-warfare kit of the FIN8 threat actor – is a deviant example of a threat without any plans for persisting, long-term. Its deployment can become a matter of routine for attackers, who re-launch it as needed for harvesting profitable card credentials.

As a backdoor Trojan, many of BADHATCH's features are ones that users can see elsewhere, such as the KOMPROGO and HAWKBALL-shared reverse shell. It also includes a general-purpose download-and-upload function that can deliver other threats. Besides not re-launching itself after a reboot, BADHATCH also cleans up its PowerShell-based dropper, may run with Base64 encryption, and can inject code into one of two Windows components (svchost.exe or explorer.exe).

Standard usage of BADHATCH involves a member of FIN8 launching it manually after creating a backdoor into a vulnerable business's network and using its shell for compromising Point-of-Sale devices or installing a persistent threat. Like ShellTea, its deployment is managerial, although malware experts note that BADHATCH is missing other features besides persistence. Some of these absent capabilities include Registry editing, manipulating access tokens, and, most unusually, any anti-virtualization or sandbox safeguards.

Nailing Up the Hatch to Lost Customer Data

Until the migration to chip-based technology makes PoS Trojan campaigns unprofitable, any entity with Point-of-Sale hardware is at risk from FIN8 and threats like BADHATCH, PoSeidon, or ShellTea. Thankfully, workers can protect themselves against well-known infection strategies that malware experts associate with attacks by BADHATCH and its associates. E-mail is the overwhelming factor in common with most infections that compromise PoS hardware-using networks.

For their safety, users should examine unusual attachments from unexpected e-mail messages for potential dangers. Traditional attacks will use macros embedded inside a document or spreadsheet, which, when active, will enable the drive-by-download that leads to the threat actor's gaining backdoor access to the machine. Note that up-to-date versions of most applications will leave macro content inactive unless the reader enables it intentionally.

Unless BADHATCH acquires unexpected updates for modifying its lack of persistence, disinfecting systems of BADHATCH should require nothing more than rebooting the computer. However, for compensating for its threat-downloading features, malware experts continue advising running full anti-malware scans for deleting BADHATCH's payloads and related threats.

A Trojan that stays as long as it's needed, and no more than that, leaves fewer signals, symptoms, and samples behind. BADHATCH's lack of a traditional, Registry-exploiting persistence mechanism may seem like a positive, but for researchers interesting in analyzing its development, the omission is nothing but a problem.

Loading...