In an unsuccessful attack launched by FIN8 against an unnamed U.S.-based financial institution, a new backdoor was discovered. FIN8 is a financially motivated threat group that preys on a variety of industries.
What Transpired?
In a recent attack on a financial institution, a group of security researchers discovered a new version of the BadHatch malware.
- The new version, dubbed Sardonic, is currently in active development and offers a wide range of capabilities, including the ability for operators to use it immediately without having to update its components.
- The attackers in the recent incident first breached the targeted network to conduct reconnaissance before performing privilege escalation and lateral movement to deploy the payload.
- Despite numerous attempts, Sardonic’s spread on domain controllers was thwarted because its malicious command lines were blocked.
Sardonic can establish persistence on an infected machine and collect system information, execute arbitrary commands, load additional plugins, and send data remotely to an attacker-controlled server.
About Fin8
Since 2016, FIN8 has been stealing payment card information from POS systems using techniques such as spear-phishing and malware such as BadHatch/PunchTrack.
- FIN8 began targeting retail, technology, insurance, and chemical industries in South Africa, the United States, Canada, Panama, Italy, and Puerto Rico with BadHatch malware in March.
- It is notoriously known for taking long pauses between campaigns, updating built-in tools and techniques, and abusing legitimate services.
FIN8 is beefing up its capabilities and malware distribution infrastructure. It is recommended that organizations separate their PoS systems used by employees and educate them on the same. Furthermore, they should train employees to recognize phishing emails and improve email security solutions.
To read more, please check eScan Blog
