Colin Cowie

Down the BadHatch: Analysis of a Financially Motivated Access Broker

STAC4663 is a financially-motivated threat activity cluster that Sophos has been closely monitoring since early 2023 for its persistent exploitation of emerging vulnerabilities. Our research examines STAC4663’s operations, with a focus on its unique malware, BadHatch / Sardonic Backdoor, and its connections to the ransomware ecosystem.

This presentation will examine cases involving STAC4663, revealing their core tools, techniques, and procedures, including the vulnerabilities targeted and dual-use applications leveraged. Additionally, STAC4663’s usage of SystemBC and involvement in handing off access to ransomware affiliates will be highlighted.

Leveraging insights gained from the recovery of command and control server data, we are able to provide detailed analyses of STAC4663’s tooling, bash history, and global reconnaissance techniques. These insights offer a unique perspective on STAC4663’s operations and their broader implications for the ransomware ecosystem.

Colin is a Threat Intelligence Analyst for the Sophos Managed Detection Response team. He focuses on detecting emerging threats, threat actor identification, and incident response. In past roles, he has worked in the financial sector performing penetration testing as well as in mobile forensics for law enforcement.