The FIN8 group, aka Syssphinx, a financially motivated (FIN uses for it) cyber threat actor, has been observed using a modified version of the Sardonic backdoor to carry out BlackCat ransomware attacks.
FIN8, previously known for targeting malware-infecting point-of-sale (PoS) systems like PUNCHTRACK and BADHATCH since at least 2016, resurfaced in March 2021 with an updated version of BADHATCH, and a new customized version called Sardonic, later announced by Bitdefender, introduced the implant in August 2021.
The Sardonic backdoor is written in C++ and is capable of collecting system information, executing commands, and loading additional malware payloads as DLLs through a plugin system. However, the latest version of the backdoor contains significant changes; Most of the source code is intentionally rewritten in C to avoid detection.
In the analyzed event, Sardonic is embedded in a PowerShell script and deployed to the target system after initial access. The script then launches a .NET installer that decrypts and executes an injector module to run the implant within the newly created WmiPrvSE.exe process. Sardonic supports up to 10 interactive sessions for the threat actor to execute malicious commands and can execute additional DLLs and shellcodes through three different plug-in formats.
Among its features, the backdoor can drop arbitrary files and leak file contents from the compromised machine to the attacker’s infrastructure.
This is not the first instance of FIN8 using Sardonic in a ransomware attack; They were detected in January 2022 using the White Rabbit ransomware based on Sardonic.
The threat actor group is known to continuously improve its capabilities and malware distribution infrastructure, regularly improving its tools and tactics to avoid detection. In order not to be the target of attacks that can be carried out using Sardonic malware;
- Using comprehensive and reliable security solutions,
- Using current and licensed technologies,
- Keeping the system and applications in the current version,
- It is recommended that the shared IoC findings related to the malware campaign be blocked by the security solutions used.
Indicator Of Compromises