Fin8 Using an Updated BackdoorBitdefender: Group Targets 2 Financial Institutions After a Long Layoff
Security firm Bitdefender has conducted a forensic analysis of a new backdoor, dubbed Sardonic, used by the financially motivated threat group Fin8 in recent attacks against two unidentified financial organizations.
Sardonic is an updated version of Fin8's previous backdoor called Badhatch that apparently is still under development, Bitdefender says. The gang's usual goal is attacking point-of-sale systems to obtain credit card information or as a general infostealer.
"The Sardonic backdoor is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components," Bitdefender's report says.
Unlike Badhatch, Sardonic can be automatically enriched with new functionality without having to redeploy malware. So, Fin8 apparently is adopting a more agile posture to cyberattacks, says Bogdan Botezatu, director of threat research for Bitdefender
Bitdefender says it has spotted FIN8 waging two attacks in the past few months. "This is an unusually high activity for a threat actor that used to take long breaks between attacks," Botezatu says.
Fin8 apparently spent several months building and testing the new backdoor before using it in the attacks, Botezatu says. Bitdefender analyzed one of those attacks.
The report did not identify when or where the attacks took place.
Fin8, which has been active since 2016, typically attempts to compromise companies in the financial, insurance, retail, hospitality, technology and chemical industries, Bitdefender says. The gang has waged attacks in the U.S., Canada, South Africa, Puerto Rico, Panama and Italy over the past year, the security firm says.
Fin8 has targeted financial services and POS systems primarily through "living off the land" attacks - using built-in tools and interfaces, such as PowerShell or WMI, and abusing legitimate services, such as sslip.io, to disguise their activity, Bitdefender says.
Bitdefender identified Fin8 updating Badhatch in December 2020 and again in January, creating Sardonic, which is version 2.14 of the malware.
"Sardonic is a much more flexible backdoor than Badhatch as it can deploy other payloads to the already compromised computer, which saves extra effort in re-infecting existing victims, should the threat group choose to take a different approach," Botezatu says. "The Sardonic backdoor also seems to be under significant development, and future versions could bring the group new capabilities."
In a recent attack on an unidentified financial institution that Bitdefender analyzed, Fin8 used a .NET binary to load a shellcode containing the malware into memory. Once loaded, the embedded dynamic link library obtained the value of the Y1US environment variable and extracted the string that contained options for behavior customization so it could make changes, Bitdefender says.
Fin8 then used its access to scan for victim networks, provide attackers with remote access, install a backdoor, and deliver other malware payloads. One primary target has been POS systems, with the goal of obtaining credit card and other financial information, according to the security firm Morphisec.
When Fin8 Attacks
Bitdefender's researchers are unsure exactly how FIN8 gains initial access to its victims' networks. But they say there's some evidence that social engineering and spear-phishing attacks may have been used.
In Fin8 attacks Bitdefender has previously studied that took place before the release of Sardonic, researchers saw user accounts were compromised - with the evidence of compromise first appearing on one of the database servers. Once the malware was on the network, the attackers engaged in network reconnaissance and used their access to retrieve a list of trusted domains and a list of domain controllers, the researchers said
The next step was moving laterally by targeting domain controllers and the malware used the built-in Windows Management Interface Command utility for remote code execution.
Bitdefender recommends that organizations take the following actions to minimize the impact of this malware:
- Separate the POS network from networks used by employees or guests;
- Introduce cybersecurity awareness training for employees to help them spot phishing e-mails;
- Tune the e-mail security solution to automatically discard malicious or suspicious attachments;
- Integrate threat intelligence into existing SIEM or security controls for relevant indicators of compromise.