company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Sardonic

FIN8

Backdoor

loading..
loading..
loading..

FIN8 APT Group Backdooring US firms via a new, undocumented malware, Sardonic

Notorious APT group, FIN8 breached networks and backdoored US firms via a modified C++-based Sardonic malware under spear-phishing campaigns...

26-Aug-2021
3 min read

FIN8, an advanced persistent threat group, recently breached the networks and installed backdoors into the systems of a US financial firm with a modified, undocumented malware, Sardonic.

Security researchers at Bitdefender initially detected the new strain of malware that has been active since at least January 2016 and has targeted restaurant, hospitality, healthcare, retail, and entertainment sectors to steal payment card details from POS systems.

The operator behind the Sardonic malware is extremely capable of POS attacks via BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea, windows zero-day, and spear-phishing attacks.

FIN8 has choreographed multiple large-scale, but occasional campaigns that impacted hundreds of organizations after its detection by the security firm, FireEye.

###** Malware still under Development:**

Sardonic is a modern C++-based backdoor deployed by its operators to target victims via spear-phishing or social engineering. Even though the malware is relatively new and under development, it is capable of Command execution on jeopardized devices, System information accumulation, and plugin systems intended to load and execute further malware payloads distributed as DLLs.

The backdoor was deployed as a component of a three-stage process using a PowerShell script, a .NET loader, and a downloader shellcode. Reports from the researchers at Bitdefender suggested that the PowerShell code is transcribed manually onto endangered systems, while the loaders are distributed via an automated process.

Sardonic backdoor execution flow

Bitdefender urged all vulnerable organizations to be aware and monitor their networks for observed FIN8 indicators of compromise. Bitdefender's Cyber Threat Intelligence Lab researchers stated that "FIN8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets."

APT groups have been actively targeting major firms and the incidents involving backdoor attacks have seen an enormous spike. Recently, Security researchers from ESET detected a previously undocumented and modified backdoor dubbed SideWalk used by the infamous APT group SparklingGoblin. The attacks aimed at targeting computer retail businesses through modular backdoor attacks.

Bitdefender also published a detailed report mentioning Sardonic's inner workings and indicators of compromise (IOCs), including infrastructure info and malware hashes to alert people.