The financially motivated threat actor FIN8 was found using a previously undetected backdoor named ‘Sardonic,’ on infected systems.
The researchers from cybersecurity firm Bitdefender have spotted the new backdoor while investigating an unsuccessful attack conducted by FIN8 aimed at an unnamed financial institution in the U.S.
Sardonic is a sophisticated backdoor that has a wide range of features designed to evade detection. Written in C++, it allows operators to gather system information, execute arbitrary commands, and load and execute additional plugins.
According to the experts, Sardonic is a project which is still under development and includes several components, some of which were compiled just before the attack.
The group which has been active since 2016, leverages known malware such as PUNCHTRACK and BADHATCH to infect PoS systems and steal payment card data.
The group focuses on organizations in the insurance, retail, technology, and chemical industries in the U.S., Canada, South Africa, Puerto Rico, Panama, and Italy.
In the recent attack it was observed that the group conducted reconnaissance on the target network to gather information to use in the attack and conduct lateral movement and privilege escalation. The group also employed their BADHATCH backdoor.
According to a report published by Bitdefender, the BADHATCH loader was deployed using PowerShell scripts downloaded from the 104.168.237[.]21 IP address using the legitimate sslip.io service. It was used during the reconnaissance, lateral movement, privilege escalation and possibly impact stages.
There were multiple attempts to deploy the Sardonic backdoor on domain controllers in order to continue with privilege escalation and lateral movement, but the malicious command lines were blocked. Even though there weren’t any traces of BADHATCH on these high-value targets, one SQL server was identified where some artifacts indicate that the threat actors intended to deploy both backdoors.
The researchers recommend the following to minimize the impact of financial malware:
- Separate the POS network from the ones used by employees or guests
- Introduce cybersecurity awareness training for employees to help them spot phishing e-mails.
- Tune the e-mail security solution to automatically discard malicious or suspicious attachments.
- Integrate threat intelligence into existing SIEM or security controls for relevant Indicators of Compromise.
- Small and medium organizations without a dedicated security team should consider outsourcing security operations to Managed Detection and Response providers.