FIN8 Hackers use Sardonic Backdoor to Target Financial Institutions

Threat actors have different motivations and goals. Some of them are working for the highest bidder, while others focus on espionage and data exfiltration. There are also those like FIN8, threat actors whose motivation is purely financial. Typically, these cybercrime groups go after businesses in individuals operating in lucrative industries like hospitality, restaurants, and retail. The FIN8 group is one of the most renowned threat actors with financial motivation and, recently, they unleashed a new threat dubbed the Sardonic Backdoor.

Previously, the FIN8 group has put other custom-built malware to use – such as PoSlurp and BADHATCH. This time, however, they are using a much more sophisticated implant. The Sardonic Backdoor is rich in features and, surprisingly, its target is a major, US-based financial organization. However, it is likely that the FIN8 hackers are planning to expand their operation in the near future. Just like in their past campaigns, the criminals are once again aiming to spread laterally across the network. Their ultimate goal is to compromise point-of-sale (PoS) devices, and exfiltrate payment card data.

C++ Sardonic Backdoor Steals Financial Data

The Sardonic Backdoor payload is written in C++, and the criminals are likely to use spearphishing and social engineering tactics to deliver it to their targets. As for the features of this Trojan, it can:

  • Execute remote commands and return the output to the attacker's server.
  • Gather hardware, software, and network data about the infected host.
  • Sardonic Backdoor's modular structure enables its operators to extend its functionality on-the-fly.

The scope of the Sardonic Backdoor Trojan attack is not yet clear, and the situation is still developing. Naturally, this means that businesses in the hospitality, restaurant and retail sectors need to take preventive measures to identify and stop the malicious implant. Tutoring employees on how to navigate the Web safely, and investing in reputable endpoint protection should be enough to mitigate malicious attacks like the one in question.

August 26, 2021