SARDONIC Backdoor – FIN8

FIN8 has added a potent new backdoor to its arsenal and is already using it in attacks in-the-wild targeting of POS systems, but appears to have strengthened its portfolio with a more potent utility.

Referred to as Sardonic, the malware consists of several components, including the backdoor, a loader, and some scripts. Still under development, Sardonic was observed in-the-wild with its components compiled just before launch.

FIN8 is known for the use of spear-phishing and social engineering tactics for initial access to a victim’s network, and the same might have been used in this attack as well. It performs reconnaissance and lateral movement, complemented by privilege escalation.

The attackers used the BADHATCH loader during these stages, and then attempted to deploy the Sardonic backdoor on domain controllers to further spread onto the network.

Deployment begins with running the Sardonic loader, most likely as part of a manual process. The loader would achieve persistence using WMI. It doesn’t attempt persistence, but to ensure the next stage is executed at startup, which in turn executes shellcode responsible for fetching and running the Sardonic backdoor.

Written in C++, the malware can gather system information, execute supplied commands, and can also load crafted DLLs and execute their functions, courtesy of a plugin system meant to expand its capabilities.

FIN8, is known for taking breaks to refine its portfolio and techniques, and the new backdoor shows that the threat actor continues to strengthen its capabilities. Thus, organizations should continuously scan their environments for potential compromise and stay vigilant.