FIN8 cybercrime group used Sardonic backdoor in a recent attack

A financially driven threat actor Fin8 known for targeting the retail, hospitality, and entertainment industries has been seen installing a brand-new backdoor on compromised computers, showing that the operators are constantly retooling their malware arsenal to escape detection and stay under the radar. The threat actor was discovered exploiting a previously undetected backdoor dubbed ‘Sardonic.’

 

While investigating an unsuccessful attempt by FIN8 on an undisclosed financial institution in the United States, researchers from cybersecurity firm Bitdefender discovered the new backdoor. Sardonic is a clever backdoor with a variety of features that make it difficult to detect. It’s written in C++ and allows users to collect system data, run arbitrary commands, and load and run new plugins.

 

Sardonic, according to researchers, is a still-in-development project that includes multiple components, some of which were compiled just before the attack.

 

The outfit, which has been active since 2016, infects PoS systems and steals credit card data using well-known malware like PUNCHTRACK and BADHATCH.

 

Organizations in the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Puerto Rico, Panama, and Italy are the focus of the group.

 

The gang was observed conducting reconnaissance on the target network to obtain information to use in the attack, as well as lateral movement and privilege escalation, in the recent attack. The BADHATCH backdoor was also used by the gang.

 

The BADHATCH loader was installed using PowerShell scripts downloaded from the 104.168.237[.]21 IP address via the genuine sslip.io service, according to a Bitdefender report. It was used during the stages of reconnaissance, lateral movement, privilege escalation, and possibly impact.

 

Multiple attempts were made to implant the Sardonic backdoor on domain controllers in order to continue lateral movement and privilege escalation, but the malicious command lines were blocked. Despite the fact that no BADHATCH traces were found on these high-value targets, one SQL server was discovered with artifacts indicating that the threat actors intended to use both backdoors.

 

To reduce the impact of financial malware, the researchers recommend the following:

  • Separate the POS network from those used by employees or guests.
  • Employees should be given cybersecurity awareness training to help them identify phishing e-mails.
  • Adjust the e-mail security solution so that malicious or suspicious attachments are automatically deleted.
  • For appropriate Indicators of Compromise, integrate threat intelligence into existing SIEM or security controls.
  • Small and medium-sized businesses who do not have a dedicated security team should think about outsourcing security operations to Managed Detection and Response vendors.

 

 

 

 

You might also like:

FMWhatsApp for Android spotted installing Triada trojan

Diavol ransomware sample reveals potential link to TrickBot gang

LockFile ransomware hijacks Microsoft Exchange servers