[BreachExchange] FIN8 Threat Group Resurfaces With Dangerous New Backdoor

Thu Aug 26 08:23:08 EDT 2021

https://www.darkreading.com/attacks-breaches/fin8-threat-group-resurfaces-with-dangerous-new-backdoor

The financially motivated FIN8 advanced persistent threat group has
resurfaced after one of its usual extended breaks, this time packing a
dangerous new malware strain in its attack toolkit.

Researchers from Bitdefender discovered the backdoor while investigating an
attempted attack against one of its customers and have named it "Sardonic."
In a new report, the security vendor describes the new backdoor as an
extremely potent threat with a wide range of capabilities allowing the
threat actor to deliver malware tools as needed on victim networks without
updating components.

Bogdan "Bob" Botezatu, director of threat research and reporting at
Bitdefender, says the Sardonic backdoor is designed to give FIN8 actors a
way to quickly upgrade the capabilities of an ongoing attack.

The FIN8 toolkit has so far been static in nature, meaning once the tools
have been delivered on a target, bringing new tools to the system has been
difficult without raising red flags. Sardonic fixes this issue by offering
attackers a way to deploy new functionality in the form of modules that are
run directly in memory. The approach decreases the odds of the malicious
activity triggering unwanted attention from threat detection tools,
Botezatu says.

"Sardonic lets attackers adjust to the existing environment and
capabilities by allowing installation of additional malware," he says.
"This is ideal for scenarios where attackers realize that some of the tools
[that] they plan to use are not allowed due to local policies or local
configuration and helps attackers update the Sardonic capabilities on the
fly."

The FIN8 threat group has been observed targeting companies in the retail,
hospitality, restaurant, and other sectors in multiple countries since at
least early 2016.

The group has been associated with numerous attacks on point-of-sale (POS)
networks belonging to organizations in the targeted sectors. In December
2019, Visa issued an advisory warning of the group attacking PoS networks
belonging to two North American gas station merchants and one organization
in the hospitality sector. The advisory described the FIN8 attacks as
sophisticated in nature and different from usual card-skimming attacks at
PoS terminals because they targeted the back-end systems that the victim
organizations were using to process card transactions.

FIN8's usual tactic involves delivering malware via carefully crafted
spear-phishing emails. However, Bitdefender says it's unclear how the group
gained initial access to the network in its latest attack. The security
vendor's investigation showed the threat actor had managed to compromise at
least two user accounts. Once they gained access to the network, the
attackers conducted network reconnaissance and used the Windows WMIC
utility for lateral movement. As part of the attack chain, FIN8 used a new
and improved version of BADHATCH, a sophisticated backdoor that it has
deployed in numerous attacks against organizations in multiple industries
in the US, Canada, Italy, South Africa, and other countries. Numerous
attempts to load the Sardonic backdoor on domain controllers were, however,
blocked.

Botezatu says the primary functions of Sardonic are to perform network
reconnaissance, information gathering, lateral movement, and privilege
escalation until the attackers reach the target network or devices. "The
Sardonic backdoor helps attackers gain persistence and agility, as it
supports the deployment of new modules by just issuing a command."

Bitdefender's analysis showed that Sardonic — dangerous as it is already —
is still under development. That conclusion is based on the fact that the
backdoor supports several commands that are not yet implemented and are
likely to become available in future versions of the backdoor, Botezatu
says. "While BADHATCH is more mature and has more features out of the box,
the Sardonic backdoor uses a plug-in architecture that allows attackers to
expand its functionality without having to update the malware and reinfect
targets."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210826/ae540cfe/attachment.html>