The financially motivated FIN8 advanced persistent threat group has resurfaced after one of its usual extended breaks, this time packing a dangerous new malware strain in its attack toolkit.
Researchers from Bitdefender discovered the backdoor while investigating an attempted attack against one of its customers and have named it "Sardonic." In a new report, the security vendor describes the new backdoor as an extremely potent threat with a wide range of capabilities allowing the threat actor to deliver malware tools as needed on victim networks without updating components.
Bogdan "Bob" Botezatu, director of threat research and reporting at Bitdefender, says the Sardonic backdoor is designed to give FIN8 actors a way to quickly upgrade the capabilities of an ongoing attack.
The FIN8 toolkit has so far been static in nature, meaning once the tools have been delivered on a target, bringing new tools to the system has been difficult without raising red flags. Sardonic fixes this issue by offering attackers a way to deploy new functionality in the form of modules that are run directly in memory. The approach decreases the odds of the malicious activity triggering unwanted attention from threat detection tools, Botezatu says.
"Sardonic lets attackers adjust to the existing environment and capabilities by allowing installation of additional malware," he says. "This is ideal for scenarios where attackers realize that some of the tools [that] they plan to use are not allowed due to local policies or local configuration and helps attackers update the Sardonic capabilities on the fly."
The FIN8 threat group has been observed targeting companies in the retail, hospitality, restaurant, and other sectors in multiple countries since at least early 2016.
The group has been associated with numerous attacks on point-of-sale (POS) networks belonging to organizations in the targeted sectors. In December 2019, Visa issued an advisory warning of the group attacking PoS networks belonging to two North American gas station merchants and one organization in the hospitality sector. The advisory described the FIN8 attacks as sophisticated in nature and different from usual card-skimming attacks at PoS terminals because they targeted the back-end systems that the victim organizations were using to process card transactions.
FIN8's usual tactic involves delivering malware via carefully crafted spear-phishing emails. However, Bitdefender says it's unclear how the group gained initial access to the network in its latest attack. The security vendor's investigation showed the threat actor had managed to compromise at least two user accounts. Once they gained access to the network, the attackers conducted network reconnaissance and used the Windows WMIC utility for lateral movement. As part of the attack chain, FIN8 used a new and improved version of BADHATCH, a sophisticated backdoor that it has deployed in numerous attacks against organizations in multiple industries in the US, Canada, Italy, South Africa, and other countries. Numerous attempts to load the Sardonic backdoor on domain controllers were, however, blocked.
Botezatu says the primary functions of Sardonic are to perform network reconnaissance, information gathering, lateral movement, and privilege escalation until the attackers reach the target network or devices. "The Sardonic backdoor helps attackers gain persistence and agility, as it supports the deployment of new modules by just issuing a command."
Bitdefender's analysis showed that Sardonic — dangerous as it is already — is still under development. That conclusion is based on the fact that the backdoor supports several commands that are not yet implemented and are likely to become available in future versions of the backdoor, Botezatu says. "While BADHATCH is more mature and has more features out of the box, the Sardonic backdoor uses a plug-in architecture that allows attackers to expand its functionality without having to update the malware and reinfect targets."