A commercially motivated cybercrime group has hijacked and backdoored the network of a US financial organization with a new malware known as Sardonic by Bitdefender investigators who initially highlighted it. FIN8, the attackers behind this incident, has been active since at least January 2016 and is known for targeting retails, restaurant, and hospitality, healthcare, and entertainment industries with the end goal of hijacking payment card information from POS systems.

This threat actor’s malicious arsenals consist of a large combination of tools and technologies, ranging from POS Trojan e.g., BadHatch, PoSlurp/PunchTrack, PowerSniff/PunchBuggy/ShellTea to Windows zero-day exploits and spear-phishing. Since FireEye first highlighted them, FIN8 has managed multiple large-scale but sporadic campaigns that harmed hundreds of associations.

Backdoor Still under Evolution

Sardonic is an advanced C++-based backdoor the FIN8 threat actor set up on targets’ systems likely through social engineering or spear-phishing, two of the group’s favorite attack methods.

While the Trojan is still under enhancement, its processing includes:

• System information harvesting
• Command execution on compromised devices
• And a plugin system designed to load and execute further malware payloads delivered as DLLs

In the attack against the US bank, the backdoor was set up and executed onto the victims’ system as part of a three-stage procedure using a PowerShell script, a NET loader, and a downloader shellcode.

As Bitdefender’s investigators observed, the PowerShell script is coped manually onto the negotiated devices through an automated process. FIN8 operators also tried numerous times to install the Sardonic backdoor on Windows domain controllers to escalate privilege and move laterally through the association’s network.

Probable Targets Alerted to be Anxious

Bitdefender urges various associations at risk of being targeted by FIN8 (primarily financial, retail, hospitality entities) to be on warning and check their networks for known FIN8 indicators of negotiation.

“FIN8 continues to strengthen its capabilities and malware transmission infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid assessments before it strikes applicable targets,” Bitdefender’s Cyber Threat Intelligence Lab researchers concluded.  

“Bitdefender suggested that organizations in target verticals (retail, hospitality, finance) check for probable negotiation by applying the IoCs to their EDR, XDR and other security defenses.” Additional details on Sardonic’s inner workings and indicators of compromise (IOCs), including infrastructure information and malware stew, can be discovered at the end of Bitdefender’s whitepaper.