FIN8 Hackers Add ‘Sardonic’ Backdoor to Malware Arsenal
The financially-motivated threat actor tracked as FIN8 has added a potent new backdoor to its arsenal and is already using it in attacks in-the-wild, according to researchers at endpoint security firm Bitdefender.
Active since at least 2016, FIN8 made a reputation for itself with the targeting of point-of-sale systems, but appears to have strengthened its portfolio with a more potent utility.
Referred to as Sardonic, the new piece of malware consists of several components, including the backdoor itself, a loader, and some scripts. Still under development, Sardonic was observed in-the-wild with its components compiled just before launch, Bitdefender says.
FIN8 is known for the use of spear-phishing and social engineering tactics for initial access to a victim’s network, and the same might have been used in this attack as well. Next, the adversary performs reconnaissance and lateral movement, complemented by privilege escalation.
The attackers used the BADHATCH loader during these stages, and then attempted to deploy the Sardonic backdoor on domain controllers to further spread onto the network.
Deployment begins with running the Sardonic loader, most likely as part of a manual process. The loader would achieve persistence using WMI (Windows Management Instrumentation). However, Bitdefender notes that it doe not attempt persistence, but to ensure the next stage is executed at startup, which in turn executes shellcode responsible for fetching and running the Sardonic backdoor.
Written in C++, the malware can gather system information, execute supplied commands, and can also load crafted DLLs and execute their functions, courtesy of a plugin system meant to expand its capabilities.
During its analysis of Sardonic, Bitdefender also identified a series of commands for which execution hasn’t been implemented, although the binary protocol parsing exists, which suggests that the project is still under development.
FIN8, Bitdefender points out, is known for taking breaks to refine its portfolio and techniques, and the new backdoor shows that the threat actor continues to strengthen its capabilities. Thus, organizations in sectors such as finance, hospitality, and retail, which are preferred FIN8 targets, should continuously scan their environments for potential compromise, the researchers say.