A cybercrime gang has breached a US financial institution’s network and installed a new backdoor dubbed Sardonic, according to Bitdefender researchers who first spotted it.
FIN8 is a threat actor that has been active since 2016. It is known for targeting various industries such as hospitality and healthcare.
This threat actor has a variety of tools and techniques that he can use to infect various devices. Some of these include but are not limited to, POS malware (e.g., BadHatch, PoSlurp/PunchTrack, PowerSniff/PunchBuggy/ShellTea), zero-day exploits, phishing, and other malware.
Since FireEye first detected the group, FIN8 has orchestrated several large-scale but sporadic campaigns. These campaigns have impacted hundreds of organizations.
Sardonic is a never-before-detected backdoor written in C++. FIN8 threat actor distributes it via social engineering or spear-phishing to infiltrate and steal data from targeted systems.
The malware is still under development and its functionality is still unclear. Its main goal is to harvest system information, drop further malware payloads delivered as DLLs, and execute commands on compromised devices.
During their attack against the US bank, the attackers used a PowerShell script and a .NET loader to execute the backdoor. The researchers also observed that the PowerShell script was copied and loaded manually onto compromised systems, but the loaders were delivered onto compromised devices automatically.
Researchers also noticed that FIN8 operators tried to install the Sardonic backdoor on Windows domain controllers to help them move through the network.
Security firm Bitdefender warns that organizations in the financial, retail, and hospitality sectors are at risk of getting targeted by FIN8 the most.
“FIN8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets,” Bitdefender’s Cyber Threat Intelligence Lab researchers concluded. “Bitdefender recommends that companies in target verticals (retail, hospitality, finance) check for potential compromise by applying [the IoCs] to their EDR, XDR and other security defenses.”
Additional details on Sardonic’s indicators of compromise (IOCs), infrastructure info, malware hashes, and more can be found in Bitdefender’s whitepaper.