Since January 2016, FIN8 has been steadily building a reputation among financially motivated advanced threat actors. Bitdefender researchers are constantly monitoring this group’s activity, and previous research released in
early 2021 documented the use of a new, improved version of the BADHATCH backdoor.
This whitepaper focuses on the analysis of a new backdoor component discovered during a forensic investigation, described here. As this backdoor has not been documented or referenced before, we named it “Sardonic”, given that artifacts led us to believe the threat actors use this name for an entire project including the backdoor itself, the loader and some additional scripts. We believe this project is still under development, and additional updates will likely follow.
Key facts about Sardonic:
FIN8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial threat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable targets.
Bitdefender recommends that companies in target verticals (retail, hospitality, finance) check for potential compromise by applying the following IoCs to their EDR, XDR and other security defenses.
To further minimize the impact of financial malware, companies should:
An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found in the whitepaper below.
tags
I'm a security researcher at Bitdefender. When not dissecting malware, I enjoy coding and playing video games.
View all postsVictor VRABIE is a security researcher at Bitdefender Iasi, Romania. Focusing on malware research, advanced persistent threats and cybercrime investigations, he's also a graduate of Computer Sciences.
View all postsI'm a Senior Team Lead in the Cyber Threat Intelligence Lab at Bitdefender. With more than 10 years of experience in forensics, I'm involved in malware analysis, cybercrime investigations & research.
View all postsJune 08, 2023
May 02, 2023
January 11, 2023
January 05, 2023