Reading Time: 2 minutes

FIN8, a financially motivated cybercrime gang has backdoored a US financial organization’s network with a new malware dubbed Sardonic, says the Bitdefender research team who spotted the malware first. 

Sardonic malware is capable of information harvesting and command execution on the devices that are compromised.

According to cyber-intelligence reports, FIN8 has been active since January 2016 as is known for targeting hospitality, restaurant, retail, and healthcare industries with the goal of stealing credit card data from POS systems. The gang has been using various tactics including POS malware (e.g. BadHatch, PowerSniff, ShellTea, and more), spear-phishing, and zero-delay exploits.


FIN8 attack anatomy and tactics used. (Bitdefender)

Sardonic Malware

FIN8 used a malware dubbed Sardonic, a new C++-based backdoor that was deployed on a US financial organization’s system via spear-phishing and social engineering. The backdoor is still under development and has the following functionality:

  • Harvesting system information
  • The capability of command execution on compromised devices
  • Adds a plugin to execute further malware payloads

Bogdan Botezatu, Director of the Bitdefender threat research team, said that they saw FIN8 carrying out 2 attacks over the past few months, and said it was an “unusually high activity for a threat actor that used to take long breaks between attacks.

According to the research team, Sardonic is a new version of BadHatch Backdoor, that can be automatically revamped with new functionality without needing the malware to be redeployed.

Further investigation into the attack on the US back revealed that the backdoor was deployed onto the target organizations’ system as part of a three-stage process using .NET loader, PowerShell script, and downloader shellcode.

Bitdefender’s research team also discovered that the PowerShell scripts were copied manually onto the compromised devices, while the .NET loader was delivered onto the devices using an automated process.

Bitdefender also revealed that FIN8 tried multiple times to deliver the Sardonic malware backdoor on Windows controllers to move through the organization’s network.


Execution flow of Sardonic malware backdoor (Bitdefender)

Financial Institutions Warned as Potential Targets

Financial institutions and banks are warned to be on high alert and check their networks regularly to look for FIN8 known indicators in case their systems are already compromised.

According to Matt Sanders, Director of Security at LogRythm, the latest incidents are part of a sequence where financial institutions are targeted by criminals. He says:

“Banks and other businesses in the financial services industry are prime targets for cyberattacks with the plethora of sensitive information and financial data contained in their files, especially as more of the world transitioned to online banking during the pandemic.”

He further emphasized the vulnerability of banks saying that financial organizations and firms are 300 times more likely to be targeted by cybercriminals as compared to other sectors. One major threat is malware attack vectors.

Sanders said that companies need to be cautious and take a “security-first approach to cybersecurity to solve vulnerabilities.

“Bitdefender recommends that companies in target verticals (retail, hospitality, finance) check for potential compromise by applying [the IoCs] to their EDR, XDR, and other security defenses.”

Bitdefender also recommended some proactive measures as follows:

  • Separate the PoS network for employees and guests
  • Introduce an email security solution that automatically discards malicious attachments
  • Organize cybersecurity awareness training for your employees to spot phishing attempts and more
  • Make threat intelligence part of your SIEM or security controls