FIN8 is back with an updated backdoor malware
A notorious actor renowned for its eye on retail, hospitality, and entertainment industries is back, deploying a new backdoor on infected systems. This is a clear indication of the fact that the players here are constantly updating their malware capabilities.
Romanian cybersecurity technology company Bitdefender has dubbed it as ‘Sardonic’. The company encountered an investigation of an ineffective attack by FIN8 intended to exploit an unnamed US-based financial institution.
Since its emergence, FIN8 has been observed to leverage multiple techniques which involve spear-phishing and malicious software in an attempt to rob payment card data from POS systems.
This group is on the lookout for upgrading itself while taking extended breaks to guarantee success. It is known to conduct cyber intrusions through living off the land attacks.
Bitfindender identified FIN8’s activities in March this year which included targeting major industries in the US, Canada, South Africa, Puerto Rico, Panama, and Italy with an updated version of the BADHATCH implant having advanced capabilities involving screen capturing, proxy tunneling, credential theft, and fileless execution.
In the recent attack, the threat actors penetrated the target network to conduct detailed exploration before carrying out activities like privilege escalation to deploy the malware payload.
Also Read: SparklingGoblin steals data from US computer retailer
Sardonic is written in C++ and is very smart as it not only attempts at establishing persistence on the affected machine, but it also comes armed with abilities that can help it in obtaining system information, executing arbitrary commands, and loading and executing additional plugins. The results of these are transferred to a remote server.
The latest development by FIN8 is a clear sign of its shift in tactics by boosting its capabilities and malware transfer infrastructure. In order to restrict the attacks and mitigate all such risks, it is advised that companies should separate their POS networks from the ones used by employees. They should also arrange training sessions for employees in order to spot phishing emails, and enhance email security solutions so that suspicious attachment can be identified in a timely manner.