"FIN8 Using an Updated Backdoor"
The security firm Bitdefender conducted a forensic analysis of a new backdoor used by the financially motivated threat group FIN8 in recent attacks. FIN8 used the backdoor called Sardonic in attacks against two unidentified financial organizations. According to researchers, Sardonic is an updated version of the threat group's previous backdoor called Badhatch. The gang typically attacks point-of-sale (PoS) systems to steal payment card data. Bitdefender emphasizes that Sardonic differs from Badhatch in that it is significantly potent and has various capabilities, allowing the threat actors to use new malware without having to update components. Sardonic can be automatically enhanced with new functionality without having to re-deploy malware. This suggests that FIN8 is adopting a more agile approach to cyberattacks. FIN8 seems to have spent several months building and testing the new backdoor before employing it for its attacks. Sardonic is more flexible than Badhatch because it can deploy other payloads to the computer, which is already compromised, saving the group extra effort and time in re-infecting existing victims if it chooses to take a different approach. The Sardonic backdoor is also believed to be under development. Future versions are expected to give the group new capabilities. The actual way in which FIN8 gains initial access to its victims' networks remains undetermined, but some evidence has shown that the group may have used social engineering and spear-phishing attacks. In previously studied FIN8 attacks that occurred before the release of Sardonic, researchers saw compromised user accounts, with evidence of the compromise first appearing on one of the database servers. When the malware was on the network, the attackers performed network reconnaissance and used their access to recover a list of trusted domains and a list of domain controllers. Next, the attackers moved laterally by targeting domain controllers. The malware used the built-in Windows Management Interface Command utility for remote code execution. This article continues to discuss the reemergence of FIN8 with a dangerous new backdoor.