U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

FIN8 group used a previously undetected Sardonic backdoor in a recent attack

Financially motivated threat actor FIN8 employed a previously undocumented backdoor, tracked as ‘Sardonic,’ in recent attacks. The financially motivated threat actor FIN8 has been observed employing a previously undetected backdoor, dubbed Sardonic, on infected systems. The new backdoor was spotted by researchers from cybersecurity firm Bitdefender, it was discovered while investigating an unsuccessful attack carried […]

Sardonic backdoor

Financially motivated threat actor FIN8 employed a previously undocumented backdoor, tracked as ‘Sardonic,’ in recent attacks.

The financially motivated threat actor FIN8 has been observed employing a previously undetected backdoor, dubbed Sardonic, on infected systems.

The new backdoor was spotted by researchers from cybersecurity firm Bitdefender, it was discovered while investigating an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution in the U.S.

Sardonic is a sophisticated backdoor that supports a wide range of features that was designed to evade detection. According to the experts, Sardonic is a project still under development and includes several components, some of which were compiled just before the attack.

The group has been active since 2016, it leverages known malware such as PUNCHTRACK and BADHATCH to infect PoS systems and steal payment card data.

The activity of the group was spotted in March, after more than a year of apparent inactivity. The group focuses on organizations in the insurance, retail, technology, and chemical industries in the U.S., Canada, South Africa, Puerto Rico, Panama, and Italy.

In the most recent attack investigated by BitDefender, the group conducted reconnaissance on the target network to gather information to use in the attack and conduct lateral movement and privilege escalation. The group also employed their BADHATCH backdoor.

“The BADHATCH loader was deployed using PowerShell scripts downloaded from the 104.168.237[.]21 IP address using the legitimate sslip.io service. It was used during the reconnaissance, lateral movement, privilege escalation and possibly impact stages. There were multiple attempts to deploy the Sardonic backdoor on domain controllers in order to continue with privilege escalation and lateral movement, but the malicious command lines were blocked. We saw no traces of BADHATCH on these high-value targets. However, we identified one SQL server where some artifacts indicate that the threat actors intended to deploy both backdoors.” reads the report published by Bitdefender.

Sardonic backdoor

Sardonic is written in C++, it allows operators to gather system information, execute arbitrary commands, and load and execute additional plugins.

Below are the recommendations provided by the researchers to minimize the impact of financial malware:

• Separate the POS network from the ones used by employees or guests
• Introduce cybersecurity awareness training for employees to help them spot phishing e-mails.
• Tune the e-mail security solution to automatically discard malicious or suspicious attachments.
• Integrate threat intelligence into existing SIEM or security controls for relevant Indicators of Compromise.
• Small and medium organizations without a dedicated security team should consider outsourcing security
operations to Managed Detection and Response providers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FIN8)

[adrotate banner=”5″]

[adrotate banner=”13″]