Information of companies and their staff published on the dark web makes financial companies and their employees a primary target of cybercriminals. Recently, cybersecurity experts from Bitdefender uncovered a new financially motivated malware campaign by the infamous threat actor group FIN8, circulating a new version of its BADHATCH malware, tracked as Sardonic. Active since January 2016, the FIN8 gang is known to launch attacks on finance companies.
Sardonic – A New Backdoor in the FIN8 Ecosystem
The researchers stated that Sardonic malware has several new components that were reportedly created just before the attack. The Sardonic backdoor has a wide range of capabilities helping attackers create new malware variants instantly without updating the components.
“FIN8 is known for taking extended breaks to improve their tactics, techniques, and procedures (TTPs), which increases their success rate. With each new version of their toolkit, they start with small tests on a limited pool of victims before launching a full-scale attack,” Bitdefender said in a statement.
FIN8’s Living off the Land Attack (LotL)
FIN8 primarily targets companies that provide financial services and their POS (point of sale) terminals via living off the land (LotL) attacks. In LotL attacks, hackers leverage tools or techniques that already exist in the threat landscape. Bitdefender researchers found FIN8 actors using built-in tools and interfaces such as PowerShell or WMI and exploiting legitimate services like sslip.io to hide their malicious activities.
In addition, FIN8 actors leverage different hacking vectors, including:
- Social Engineering
- Malicious Payload Download
- Lateral Movement
- Trial and Error to overcome defenses
- Attempt to establish persistency
Remediation
Bitdefender team also recommended security measures to minimize the impact of this malware. These include:
- Separate the POS network from the ones used by employees or guests
- Introduce cybersecurity awareness training for employees to help them spot phishing emails.
- Tune the email security solution to automatically discard malicious or suspicious attachments.
- Integrate threat intelligence into existing SIEM or security controls for relevant Indicators of compromise.
- Small and medium organizations should consider outsourcing security operations to managed detection and response providers.
