A financially motivated threat actor notorious for setting its sights on retail, hospitality, and entertainment industries has been observed deploying a completely new backdoor on infected systems, indicating the operators are continuously retooling their malware arsenal to avoid detection and stay under the radar.
The previously undocumented malware has been dubbed “Sardonic” by Romanian cybersecurity technology company Bitdefender, which it encountered during a forensic investigation in the wake of an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution located in the U.S.
Said to be under active development, “Sardonic backdoor is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components,” Bitdefender researchers Eduard Budaca and Victor Vrabie said in a report shared with The Hacker News.
Since emerging on the scene in January 2016, FIN8 has leveraged a multitude of techniques such as spear-phishing and malicious software such as PUNCHTRACK and BADHATCH to steal payment card data from point-of-sale (POS) systems.
The threat group, which is known for taking extended breaks in between campaigns to fine-tune its tactics and increase the success rate of its operations, conducts cyber incursions primarily through “living off the land” attacks, using built-in tools and interfaces like PowerShell as well as taking advantage of legitimate services like sslip.io to disguise their activity.
Earlier this March, Bitdefender revealed FIN8’s return after a year-and-a-half hiatus to target insurance, retail, technology, and chemical industries in the U.S., Canada, South Africa, Puerto Rico, Panama, and Italy with a revamped version of the BADHATCH implant featuring upgraded capabilities, including screen capturing, proxy tunneling, credential theft, and fileless execution.
In the latest incident analyzed by the firm, the attackers are said to have infiltrated the target network to conduct detailed reconnaissance, before carrying out lateral movement and privilege escalation activities to deploy the malware payload. “There were multiple attempts to deploy the Sardonic backdoor on domain controllers in order to continue with privilege escalation and lateral movement, but the malicious command lines were blocked,” the researchers said.
Written in C++, Sardonic not only takes steps to establish persistence on the compromised machine, but also comes equipped with capabilities that allow it to obtain system information, execute arbitrary commands, and load and execute additional plugins, the results of which are transmitted to a remote attacker-controlled server.
If anything, the latest development is yet another sign of FIN8’s shift in tactics by strengthening its capabilities and malware delivery infrastructure. To mitigate the risk associated with financial malware, companies are recommended to separate their POS networks from those used by employees or guests, train employees to better spot phishing emails, and improve email security solutions to filter potentially suspicious attachments.