FIN8 is a purely financially motivated cybercrime organization and since 2016, the group has successfully operated by targeting retail, restaurant, hospitality, healthcare, and entertainment industries. This is done to primarily steal payment information from Point of Sale (POS) devices those industries typically rely on to process payments from customers. These tactics were used towards the end of 2019 when Visa warned that the group was compromising POS devices used by fuel stations in North America. FIN8 attack campaigns are conducted sporadically but never fail to make an impact leaving victims questioning how best to shore up their defenses.
Now, according to Bitdefender, the group has added another tool to its already impressive tool belt. That tool is a new backdoor trojan called Sardonic by researchers. Past attacks by the group would often leverage the BadHatch backdoor.
A newer version of BadHatch was discovered in early 2021 by Bitdefender researchers, more on this later. Despite the new version of BadHatch, FIN8 developers have been busy developing Sardonic. In a report published by Bitdefender, Sardonic boasts several features that should alarm those tasked with defending networks associated with FIN8’s favored prey.
The new backdoor trojan was discovered by researchers when it was used against a US financial institution. It is yet still to be determined how the attackers initially comprised the network but FIN8 has relied on social engineering and spear-phishing in the past.
This is then followed by the attackers performing network reconnaissance and then the process of gaining privileged access to the network. Lastly, the attackers will attempt to gain privileged access. It appears that Sardonic is not a replacement for BadHatch, at least for the moment, as researchers discovered BadHatch artifacts left by the attackers. Researchers noted,
“As described in our previous threat intelligence report on FIN8, once in the network, the attackers began with network reconnaissance, obtaining information about the domain (users, domain controllers) and continued with lateral movement and privilege escalation. In addition to the use of WMIExec, which we reported earlier, we found traces of SMBExec from the same toolset (Impact), along with, of course, the offensive features of their signature backdoor, BADHATCH. The BADHATCH loader was deployed using PowerShell scripts downloaded from the 104.168.237[.]21 IP address using the legitimate sslip.io service. It was used during the reconnaissance, lateral movement, privilege escalation and possibly impact stages.”
Sardonic in more Detail
The report published by Bitdefender goes into far greater depth regarding the inner working of the malware, including indicators of compromise and how the malware attempts to remain persistent on infected systems. The backdoor itself is written in C++ and utilizes the same command-and-control infrastructure as the malware’s loaders.
The malware itself can obtain system information, execute commands, and has a plugin system that can load specially made DLLs and execute their functions.
Information sent of the command-and-control infrastructure is encrypted using both symmetric and asymmetric encryption which may appear unbreakable at first glance, however, as researchers noted,
“…it can be easily defeated either through a man-in-the-middle attack, where a third party could communicate with the client in plain text and impersonate it to the server, or by using the fact that the private RSA key is publicly available. The public key comes from an open-source X.509 certificate used for testing in the OpenSSL repository, “/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)”, whose private key is also known. This is an unusual choice: the certificate is very old (issued on Dec. 5, 1999 and expired on June 10, 2005) and creating an RSA key pair is very easy. The result of this oversight is that, by identifying RSA-encrypted packets and extracting the RC4 key inside them, the entire communication can be decrypted from a traffic capture, which can be very useful in a forensic investigation.”
Interestingly, the backdoor includes several commands that execute a shell command and send its output back to the command-and-control server. Other commands include:
- “ver”: version string; we’ve seen “v2.2.1r”, “v2.2.4r”, and we have seen different samples with the same version string.
- “modules”: space-separated list of installed plugins
- “systeminfo”: output of “cmd /c chcp 65001 & systeminfo”
- “netview”: output of “cmd /c chcp 65001 & net view”
- “netstat”: output of “cmd /c chcp 65001 & netstat /naop TCP”
- “tasklist”: output of “cmd /c chcp 65001 & tasklist /v”
- “netstart”: output of “cmd /c chcp 65001 & net start”
- “ipconfig”: output of “cmd /c chcp 65001 & ipconfig”
Of the above-mentioned commands, the modules command stands out as it is capable of running, installing, updating, and terminating various plugins. The plugins themselves are stored in memory allowing for fileless operation. This gives the malware the bonus of being harder to detect by security applications.
It would seem that Sardonic is still under development as there are several unimplemented commands within the code base, this would also explain why attackers attempted to use BadHatch as well as Sardonic in the discovered attack campaign. Researchers have recommended those in sectors typically targeted by FIN8 take the following mitigation steps:
- Separate the POS network from the ones used by employees or guests.
- Introduce cybersecurity awareness training for employees to help them spot phishing emails.
- Tune the e-mail security solution to automatically discard malicious or suspicious attachments.
- Integrate threat intelligence into existing SIEM or security controls for relevant Indicators of Compromise.
- Small and medium organizations without a dedicated security team should consider outsourcing security operations to Managed Detection and Response providers.
BadHatch’s Newest Version
As mentioned previously researchers discovered a newer version of FIN8’s favored backdoor trojan BadHatch earlier this year. For the InfoSec community, it will be interesting to see if the new tool ever replaces the old favorite. Given that the newer version, v2.14, was discovered this year, FIN8 still finds a use for BadHatch even if there is a new piece of malware.
The newer version boasts several improvements over previous iterations, including using several evasion techniques and also evading detection through the abuse of TLS encryption to conceal PowerShell commands. Given that FIN8 will take long periods between attack campaigns it is unlikely that they will retire BadHatch anytime soon. Rather, time will be spent improving malware features and tactics.
Interestingly, regarding both BadHatch and Sardonic when the reports were compiled by Bitdefender, there was little to no knowledge of how FIN8 managed to gain initial access to victim’s networks.
The mechanism to privileged access once initial access is gained is well understood but given that researchers could not pinpoint exactly how the malware initially compromised the victim’s machine or network speaks volumes to the group's ability to tinker with tactics to make them more effective or change tactics completely to help remain one step ahead of researchers and the law.