FIN8 Returns with Improved Point of Sale Malware

Man using a POS system

The FIN8 cybercriminal group has returned after an 18-month break with an improved version of their Point of Sale (PoS) malware. In the latest attacks, the group is targeting companies in the chemical, insurance, retail and technology industries.

Who is FIN8?

FIN8 is a cybercriminal group first identified by FireEye in 2016, whose main purpose is financial gain. As opposed to APT groups, whose focus is intelligence gathering and cyberespionage. In the past, FIN8 has targeted the retail, hospitality and entertainment industries.

The group’s mode of attack involves using spear-phishing campaigns to send emails containing malicious Microsoft Word document attachments. The aim of the attacks is to steal payment card details from PoS systems. The malware tools previously used in these attacks include the PoS memory scraping tool, PunchTrack, the Dynamic Link Library (DLL) downloader, PunchBuggy, and the BadHatch backdoor.

Although the group has been active for many years, it is known for taking long breaks between campaigns to improve its malware tools and increase their rate of success. According to Bogdan Botezatu, director of threat research at Bitdefender, the groups last campaign was in mid-2019. In this previous campaign the group resurfaced after a two-year hiatus to attack companies in the hospitality sector.

FIN8’s Targets

As for the recent attacks, Bitdefender researchers believe these merely represent tests being conducted by the group to trial the new version of their BadHatch backdoor. The actual attack campaign is yet to come.

“FIN8 is known to get back in business with small tests on a limited pool of victims before they go broad,” Botezatu told Threatpost. “This is a mechanism to validate security on a small subset before moving attacks to production.”

According to a Bitdefender whitepaper on FIN8 published earlier this week, the test attacks have been ongoing for the past year. And they have targeted companies in the chemical, insurance, retail and technology industries around the world. The countries hit by these test attacks include Canada, Italy, Panama, Puerto Rico, South Africa and the US. Bitdefender does not mention which organizations have been compromised.

BadHatch Backdoor Improved

The improved version of FIN8’s custom BadHatch backdoor has new capabilities including screen capturing, proxy tunneling and fileless execution.

Fileless Execution

Unlike traditional attacks, fileless attacks do not rely on malware to infect systems. Instead, they abuse systems’ own legitimate built in-tools, authorized protocols and trusted applications. As was the case in recent attacks conducted by the newly identified threat group, LazyScripter.

In essence these campaigns make systems attack themselves. Furthermore, they are especially powerful as they can bypass standard cybersecurity mechanisms, such as antivirus software. Since genuine software is being used in such attacks, antivirus software does not recognize the software’s actions as an attack.

The latest version of BadHatch abuses the legitimate Domain Name System (DNS) service,, to avoid detection during deployment. This genuine service is employed to download a script created using Microsoft’s legitimate scripting framework, PowerShell. This script in turn executes code containing FIN8’s BadHatch DLL, which establishes persistence and undertakes privilege escalation. Moreover, the backdoor also utilizes legitimate HTTP requests to communicate with its Command-and-Control (C2) server.

Other New Capabilities

The whitepaper describes BadHatch as “a mature, highly advanced backdoor that uses several evasion and defense techniques.” Furthermore, the new version of BadHatch can gather information about compromised systems. It can also perform lateral movement to explore the network and find its ultimate targets.

“The lateral movement part is critical, as it targets POS networks,” explained Botezatu. “This is because the malware is usually delivered via malicious attachments. The target victim can be anyone on the network and the malware has to jump from one endpoint to another until it reaches the real targets on the network – POS devices.”

Furthermore, the latest BadHatch version also allows file downloads, which could pave the way for different kinds of attacks in the future. Not just attacks that harvest payment card details.


To avoid attacks from financially motivated cybercriminal groups like FIN8, or at least minimize their effect, Bitdefender provides some recommendations. This advice is provided in a blog by Bitdefender researchers Botezatu and Victor and it includes:

  • Separate the POS network from networks used by employees or guests.
  • Introduce cybersecurity awareness training for employees to help them spot phishing emails.
  • Tune the email security solution to automatically discard malicious or suspicious attachments.
  • Integrate threat intelligence into existing security controls for relevant Indicators of Compromise (IOC). The currently known IOCs are provided in Bitdefender’s whitepaper.
  • Small and medium organizations without a dedicated security team should consider outsourcing security operations to managed security service providers.
Information technology expert
Grace is an information technology expert who joined the VPNoverview team in 2019, writing cybersecurity and internet privacy-based news articles. Due to her IT background in legal firms, these subjects have always been of great interest to her.