An American financial institution had its system breached and backdoored in an attack conducted by the FIN8 gang. The previously undocumented malware employed by the threat actor during the attack has been named Sardonic by the cybersecurity researchers.
FIN8 Operation Mode
First spotted at the beginning of 2016, the financially motivated group FIN8 is notorious for organizing multiple customized phishing operations that are mostly targeting industries such as healthcare, entertainment, retail, and hospitality.
During the attacks, the threat actor used the downloader PunchBuggy and POS malware PunchTrack in an attempt to steal payment card data from Point-of-Sale (POS) systems.
In addition to tools such as PunchBuggy, BadHatch, and PunchTrack, the gang’s arsenal also includes Windows Windows zero-day exploits and spear-phishing.
According to FireEye, over 100 North American companies have been impacted by the FIN8 phishing operation.
Sardonic is a new C++-based backdoor the cybercriminals behind FIN8 operation deployed on victims’ networks through spear phishing or social engineering techniques. Cybersecurity researchers at Bitdefender think that the project is still under development, and additional updates will follow soon.
The backdoor is able to collect system information, perform arbitrary commands on the impacted devices, and load and execute supplementary plugins, and then the results are sent to a remote hacker-controlled server.
According to BleepingComputer, in the case of the US financial institution, the malware was deployed and carried out onto targets’ networks utilizing a PowerShell script, a .NET loader, and downloader shellcode.
Researchers said:
There were multiple attempts to deploy the Sardonic backdoor on domain controllers in order to continue with privilege escalation and lateral movement, but the malicious command lines were blocked.
Financial, retail, and hospitality organizations are advised to stay alert and check their systems for familiar FIN8 Indicators of Compromise (IOC).
In order to reduce the financial malware risk, organizations are urged to:
- separate their POS networks from the ones used by guests or staff members,
- train employees to pay more attention when it comes to phishing campaigns,
- enhance email security solutions to filter potentially dubious attachments.
FIN8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets.