Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

BADHATCH

BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)
ID: S1081
Type: MALWARE
Platforms: Windows
Created: 01 Aug 2023
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

BADHATCH can utilize the CMSTPLUA COM interface and the SilentCleanup task to bypass UAC.(Citation: BitDefender BADHATCH Mar 2021)

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

BADHATCH can impersonate a `lsass.exe` or `vmtoolsd.exe` token.(Citation: BitDefender BADHATCH Mar 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BADHATCH can use HTTP and HTTPS over port 443 to communicate with actor-controlled C2 servers.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

.002 Application Layer Protocol: File Transfer Protocols

BADHATCH can emulate an FTP server to connect to actor-controlled C2 servers.(Citation: BitDefender BADHATCH Mar 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BADHATCH can utilize `powershell.exe` to execute commands on a compromised host.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

BADHATCH can use `cmd.exe` to execute commands on a compromised host.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

BADHATCH can beacon to a hardcoded C2 IP address using TLS encryption every 5 minutes.(Citation: Gigamon BADHATCH Jul 2019)

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

BADHATCH can use WMI event subscriptions for persistence.(Citation: BitDefender BADHATCH Mar 2021)

Enterprise T1070 .004 Indicator Removal: File Deletion

BADHATCH has the ability to delete PowerShell scripts from a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)

Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

BADHATCH has an embedded second stage DLL payload within the first stage of the malware.(Citation: Gigamon BADHATCH Jul 2019)

.010 Obfuscated Files or Information: Command Obfuscation

BADHATCH malicious PowerShell commands can be encoded with base64.(Citation: BitDefender BADHATCH Mar 2021)

.013 Obfuscated Files or Information: Encrypted/Encoded File

BADHATCH can be compressed with the ApLib algorithm.(Citation: BitDefender BADHATCH Mar 2021)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

BADHATCH can use `net.exe group "domain admins" /domain` to identify Domain Administrators.(Citation: BitDefender BADHATCH Mar 2021)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

BADHATCH has the ability to execute a malicious DLL by injecting into `explorer.exe` on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)

.004 Process Injection: Asynchronous Procedure Call

BADHATCH can inject itself into a new `svchost.exe -k netsvcs` process using the asynchronous procedure call (APC) queue.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BADHATCH can use `schtasks.exe` to gain persistence.(Citation: BitDefender BADHATCH Mar 2021)

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

BADHATCH can perform pass the hash on compromised machines with x64 versions.(Citation: BitDefender BADHATCH Mar 2021)

Groups That Use This Software

ID Name References
G0061 FIN8

(Citation: BitDefender BADHATCH Mar 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.