26 August 2021

FIN8 cybercriminal group adds new "Sardonic" backdoor to its arsenal


FIN8 cybercriminal group adds new "Sardonic" backdoor to its arsenal

FIN8, a financially motivated threat actor known for its attacks on companies in retail, hospitality, and entertainment industries, has been observed using a new backdoor, dubbed "Sardonic", in a recent unsuccessful attack against an unnamed financial institution in the U.S.

According to researchers at cybersecurity firm Bitdefender, the backdoor appears to be under active development and “is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components.”

Written in C++, the Sardonic backdoor allows its operators to collect system information, execute arbitrary commands, and load and execute additional plugins.

Active since 2016, the FIN8 group has been leveraging known malware such as PUNCHTRACK and BADHATCH to infect PoS systems and steal payment card data.

In the most recent campaign analyzed by Bitdefender, the attackers conducted network reconnaissance, gathering information about the domain (users, domain controllers) and continued with lateral movement and privilege escalation.

“The BADHATCH loader was deployed using PowerShell scripts downloaded from the 104.168.237[.]21 IP address using the legitimate sslip.io service. It was used during the reconnaissance, lateral movement, privilege escalation and possibly impact stages,” the researchers said.

Bitdefender noted that the group had made multiple attempts to deploy the Sardonic backdoor on domain controllers in order to continue with privilege escalation and lateral movement, but the malicious command lines were blocked. The researchers said they had not observed BADHATCH being deployed on these targets, however, they found some artifacts indicating that the threat actors intended to deploy both backdoors.


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021