A financially motivated cybercrime gang has breached and backdoored the community of a US monetary group with a brand new malware identified dubbed Sardonic by Bitdefender researchers who first noticed it.
FIN8, the risk actor behind this incident, has been energetic since a minimum of January 2016 and is thought for focusing on retail, restaurant, hospitality, healthcare, and leisure industries with the top aim of stealing fee card knowledge from POS programs.
This risk actor’s malicious arsenal consists of a big assortment of instruments and techniques, starting from POS malware (e.g., BadHatch, PoSlurp/PunchTrack, PowerSniff/PunchBuggy/ShellTea) to Windows zero-day exploits and spear-phishing.
Since FireEye first noticed them, FIN8 has orchestrated a number of large-scale however sporadic campaigns that impacted hundreds of organizations.
Backdoor nonetheless below growth
Sardonic is a brand new C++-based backdoor the FIN8 risk actors deployed on targets’ programs seemingly by way of social engineering or spear-phishing, two of the group’s favourite assault strategies.
Whereas the malware remains to be below growth, its performance consists of:
- System data harvesting.
- Command execution on compromised gadgets.
- And a plugin system designed to load and execute additional malware payloads delivered as DLLs.
Throughout their assault towards the US financial institution, the backdoor was deployed and executed onto victims’ programs as a part of a three-stage course of utilizing a PowerShell script, a .NET loader, and downloader shellcode.
As Bitdefender’s researchers observed, the PowerShell script is copied manually onto compromised programs, whereas the loaders are delivered onto compromised gadgets by way of an automatic course of.
FIN8 operators additionally tried a number of occasions to put in the Sardonic backdoor on Home windows area controllers to escalate privilege and transfer laterally by way of the group’s community.
Potential targets warned to be vigilant
Bitdefender urges organizations prone to being focused by FIN8 (primarily monetary, retail, hospitality entities) to be on alert and test their networks for identified FIN8 indicators of compromise.
“FIN8 continues to strengthen its capabilities and malware supply infrastructure. The extremely expert monetary risk actor is thought to take lengthy breaks to refine instruments and techniques to keep away from detection earlier than it strikes viable targets,” Bitdefender’s Cyber Risk Intelligence Lab researchers concluded.
“Bitdefender recommends that firms in goal verticals (retail, hospitality, finance) test for potential compromise by making use of [the IoCs] to their EDR, XDR and different safety defenses.”
Extra particulars on Sardonic’s interior workings and indicators of compromise (IOCs), together with infrastructure data and malware hashes, may be discovered at the end of Bitdefender’s whitepaper.