Skip to content

Hide Navigation Hide TOC

BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)

BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

Cluster A Galaxy A Cluster B Galaxy B Level
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware 1
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern 2
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2