Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

FIN8 Hackers Add ‘Sardonic’ Backdoor to Malware Arsenal

The financially-motivated threat actor tracked as FIN8 has added a potent new backdoor to its arsenal and is already using it in attacks in-the-wild, according to researchers at endpoint security firm Bitdefender.

The financially-motivated threat actor tracked as FIN8 has added a potent new backdoor to its arsenal and is already using it in attacks in-the-wild, according to researchers at endpoint security firm Bitdefender.

Active since at least 2016, FIN8 made a reputation for itself with the targeting of point-of-sale systems, but appears to have strengthened its portfolio with a more potent utility.

Referred to as Sardonic, the new piece of malware consists of several components, including the backdoor itself, a loader, and some scripts. Still under development, Sardonic was observed in-the-wild with its components compiled just before launch, Bitdefender says.

FIN8 is known for the use of spear-phishing and social engineering tactics for initial access to a victim’s network, and the same might have been used in this attack as well. Next, the adversary performs reconnaissance and lateral movement, complemented by privilege escalation.

The attackers used the BADHATCH loader during these stages, and then attempted to deploy the Sardonic backdoor on domain controllers to further spread onto the network.

[ READ: New Version of ShellTea Backdoor Used by FIN8 Hacking Group ]

Deployment begins with running the Sardonic loader, most likely as part of a manual process. The loader would achieve persistence using WMI (Windows Management Instrumentation). However, Bitdefender notes that it doe not attempt persistence, but to ensure the next stage is executed at startup, which in turn executes shellcode responsible for fetching and running the Sardonic backdoor.

Written in C++, the malware can gather system information, execute supplied commands, and can also load crafted DLLs and execute their functions, courtesy of a plugin system meant to expand its capabilities.

Advertisement. Scroll to continue reading.

During its analysis of Sardonic, Bitdefender also identified a series of commands for which execution hasn’t been implemented, although the binary protocol parsing exists, which suggests that the project is still under development.

FIN8, Bitdefender points out, is known for taking breaks to refine its portfolio and techniques, and the new backdoor shows that the threat actor continues to strengthen its capabilities. Thus, organizations in sectors such as finance, hospitality, and retail, which are preferred FIN8 targets, should continuously scan their environments for potential compromise, the researchers say.

Related: New Version of ShellTea Backdoor Used by FIN8 Hacking Group

Related: Visa: North American Gas Stations Targeted in PoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.