Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

FIN8 Hackers Add ‘Sardonic’ Backdoor to Malware Arsenal

The financially-motivated threat actor tracked as FIN8 has added a potent new backdoor to its arsenal and is already using it in attacks in-the-wild, according to researchers at endpoint security firm Bitdefender.

The financially-motivated threat actor tracked as FIN8 has added a potent new backdoor to its arsenal and is already using it in attacks in-the-wild, according to researchers at endpoint security firm Bitdefender.

Active since at least 2016, FIN8 made a reputation for itself with the targeting of point-of-sale systems, but appears to have strengthened its portfolio with a more potent utility.

Referred to as Sardonic, the new piece of malware consists of several components, including the backdoor itself, a loader, and some scripts. Still under development, Sardonic was observed in-the-wild with its components compiled just before launch, Bitdefender says.

FIN8 is known for the use of spear-phishing and social engineering tactics for initial access to a victim’s network, and the same might have been used in this attack as well. Next, the adversary performs reconnaissance and lateral movement, complemented by privilege escalation.

The attackers used the BADHATCH loader during these stages, and then attempted to deploy the Sardonic backdoor on domain controllers to further spread onto the network.

[ READ: New Version of ShellTea Backdoor Used by FIN8 Hacking Group ]

Deployment begins with running the Sardonic loader, most likely as part of a manual process. The loader would achieve persistence using WMI (Windows Management Instrumentation). However, Bitdefender notes that it doe not attempt persistence, but to ensure the next stage is executed at startup, which in turn executes shellcode responsible for fetching and running the Sardonic backdoor.

Written in C++, the malware can gather system information, execute supplied commands, and can also load crafted DLLs and execute their functions, courtesy of a plugin system meant to expand its capabilities.

Advertisement. Scroll to continue reading.

During its analysis of Sardonic, Bitdefender also identified a series of commands for which execution hasn’t been implemented, although the binary protocol parsing exists, which suggests that the project is still under development.

FIN8, Bitdefender points out, is known for taking breaks to refine its portfolio and techniques, and the new backdoor shows that the threat actor continues to strengthen its capabilities. Thus, organizations in sectors such as finance, hospitality, and retail, which are preferred FIN8 targets, should continuously scan their environments for potential compromise, the researchers say.

Related: New Version of ShellTea Backdoor Used by FIN8 Hacking Group

Related: Visa: North American Gas Stations Targeted in PoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.