Notorious APT group, FIN8 breached networks and backdoored US firms via a modified C++-based Sardonic malware under spear-phishing campaigns...
FIN8, an advanced persistent threat group, recently breached the networks and installed backdoors into the systems of a US financial firm with a modified, undocumented malware, Sardonic.
Security researchers at Bitdefender initially detected the new strain of malware that has been active since at least January 2016 and has targeted restaurant, hospitality, healthcare, retail, and entertainment sectors to steal payment card details from POS systems.
The operator behind the Sardonic malware is extremely capable of POS attacks via BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea, windows zero-day, and spear-phishing attacks.
FIN8 has choreographed multiple large-scale, but occasional campaigns that impacted hundreds of organizations after its detection by the security firm, FireEye.
###** Malware still under Development:**
Sardonic is a modern C++-based backdoor deployed by its operators to target victims via spear-phishing or social engineering. Even though the malware is relatively new and under development, it is capable of Command execution on jeopardized devices, System information accumulation, and plugin systems intended to load and execute further malware payloads distributed as DLLs.
The backdoor was deployed as a component of a three-stage process using a PowerShell script, a .NET loader, and a downloader shellcode. Reports from the researchers at Bitdefender suggested that the PowerShell code is transcribed manually onto endangered systems, while the loaders are distributed via an automated process.
Bitdefender urged all vulnerable organizations to be aware and monitor their networks for observed FIN8 indicators of compromise. Bitdefender's Cyber Threat Intelligence Lab researchers stated that "FIN8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets."
APT groups have been actively targeting major firms and the incidents involving backdoor attacks have seen an enormous spike. Recently, Security researchers from ESET detected a previously undocumented and modified backdoor dubbed SideWalk used by the infamous APT group SparklingGoblin. The attacks aimed at targeting computer retail businesses through modular backdoor attacks.
Bitdefender also published a detailed report mentioning Sardonic's inner workings and indicators of compromise (IOCs), including infrastructure info and malware hashes to alert people.