Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

FIN8 Hackers Add ‘Sardonic’ Backdoor to Malware Arsenal

The financially-motivated threat actor tracked as FIN8 has added a potent new backdoor to its arsenal and is already using it in attacks in-the-wild, according to researchers at endpoint security firm Bitdefender.

The financially-motivated threat actor tracked as FIN8 has added a potent new backdoor to its arsenal and is already using it in attacks in-the-wild, according to researchers at endpoint security firm Bitdefender.

Active since at least 2016, FIN8 made a reputation for itself with the targeting of point-of-sale systems, but appears to have strengthened its portfolio with a more potent utility.

Referred to as Sardonic, the new piece of malware consists of several components, including the backdoor itself, a loader, and some scripts. Still under development, Sardonic was observed in-the-wild with its components compiled just before launch, Bitdefender says.

FIN8 is known for the use of spear-phishing and social engineering tactics for initial access to a victim’s network, and the same might have been used in this attack as well. Next, the adversary performs reconnaissance and lateral movement, complemented by privilege escalation.

The attackers used the BADHATCH loader during these stages, and then attempted to deploy the Sardonic backdoor on domain controllers to further spread onto the network.

[ READ: New Version of ShellTea Backdoor Used by FIN8 Hacking Group ]

Deployment begins with running the Sardonic loader, most likely as part of a manual process. The loader would achieve persistence using WMI (Windows Management Instrumentation). However, Bitdefender notes that it doe not attempt persistence, but to ensure the next stage is executed at startup, which in turn executes shellcode responsible for fetching and running the Sardonic backdoor.

Written in C++, the malware can gather system information, execute supplied commands, and can also load crafted DLLs and execute their functions, courtesy of a plugin system meant to expand its capabilities.

During its analysis of Sardonic, Bitdefender also identified a series of commands for which execution hasn’t been implemented, although the binary protocol parsing exists, which suggests that the project is still under development.

FIN8, Bitdefender points out, is known for taking breaks to refine its portfolio and techniques, and the new backdoor shows that the threat actor continues to strengthen its capabilities. Thus, organizations in sectors such as finance, hospitality, and retail, which are preferred FIN8 targets, should continuously scan their environments for potential compromise, the researchers say.

Related: New Version of ShellTea Backdoor Used by FIN8 Hacking Group

Related: Visa: North American Gas Stations Targeted in PoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.