FIN8 Resurfaces with New Sardonic Backdoor

In its latest attack, FIN8 is infiltrating companies to carry out surveillance and obtain privilege escalation to deploy a payload of malware called Sardonic.

According to researchers, in its latest attack, FIN8 is infiltrating companies to carry out surveillance and obtain privilege escalation to deploy a payload of malware called Sardonic.

In its latest report, Bitdefender Labs experts revealed that the financially motivated group FIN8 has resurfaced with brand new malware dubbed Sardonic. After a brief hiatus, the group is back to target diverse sectors, including insurance, retail, technology, and chemical industries. Their prime targets are in the USA, Canada, South Africa, Puerto Rico, Panama, and Italy.

FIN8 Group Expands its Malware Arsenal

Reportedly, FIN8 has arrived with a modified version of the BADHATCH implant featuring extended capabilities such as screen capture, credential theft, proxy tunneling, and fileless execution. In the group’s recent attack against a US-based financial organization, researchers noticed the new backdoor Sardonic, which indicates that the malware authors are trying to expand the scope of their malicious acts.

FIN8’s Latest Targeted Attack

In this latest attack, FIN8 infiltrated the company’s network to carry out surveillance, and later, they obtained privilege escalation through lateral movement to deploy the malware payload. The group made multiple attempts to deploy Sardonic malware on domain controllers to gain persistence on the system, but the malicious command lines were timely blocked, rendering the attack unsuccessful.

About Sardonic Malware 

Bitdefender Labs researchers reported that Sardonic is a previously undocumented backdoor that’s undergoing active development. The malware is “extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components,” revealed Bitdefender’s researchers Eduard Budaca and Victor Vrabie in their report.

They further stated that the malware is written in C++. It can establish persistence on a compromised device, obtain system information, load/execute additional plugins, transmit the results to a remote attacker-controlled server, and execute arbitrary commands.

This shows that Sardonic malware has unleashed new functions for the attackers, using which they can create new malware and use it directly on the fly without updating components.

FIN8 Threat Actor Under Bitdefender’s Radar

Bitdefender researchers are monitoring the group’s activities constantly. It has been operating since January 2016 and has built a reputation as a financially motivated threat group.

Earlier in 2021, Bitdefender reported that the group was using a new version of the BADHATCH backdoor, and now it is deploying a new backdoor on compromised systems.

Since its emergence on the scene, the group has leveraged countless techniques, from spear-phishing software like PUNCHTRACK to stealing payment card data from Point of Sale (POS) systems.

Since January 2018, the group has carried out cyber intrusions through living off-the-land attacks. It primarily uses built-in interfaces and tools such as PowerShell and leverages legit services like and WMI to evade detection.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts