Sardonic Backdoor

The FIN8 cybergang is back with a new attack campaign and new malware threats in its arsenal. The latest victim of this financially motivated threat actor is a US financial organization, and more specifically a bank. As part of the attack, FIN8 has deployed a previously unknown malware threat dubbed Sardonic.

FIN8 has been around since at least 2016 and in that period have switched between multiple active periods followed by relative dormancy. While inactive, the hackers usually work on updating and improving their threatening arsenal. The group has targeted victims from a large set of different industry sectors including retail, healthcare, entertainment, restaurant and hospitality. FIN8's goal is to collect payment card data from the victim's POS systems.

Sardonic is Still under Development

Despite being used in a live operation against a chosen target, Sardonic is not a fully completed malware threat, as it bears signs of still being under active development. That doesn't stop it from being a potent backdoor capable of carrying out several harmful activities on the compromised systems.

Written in C++, Sardonic consists of several components that appear to have been compiled right before the attack. As an initial infection vector, the hackers most likely used social-engineering tactics and spear-phishing methods. This conjecture is further supported by the fact that the initial-stage loader - a PowerShell script, appears to have been copied to the breached devices manually.

The attack chain then goes through other two phases involving the automatic delivery of a .NET loader and downloader shellcode, before the final Sardonic payload is executed. Once established on the system, the threat can obtain information from the device, execute arbitrary commands, and deploy additional malware payloads via a plugin system.