Security News > 2023 > July > FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks

The financially motivated threat actor known as FIN8 has been observed using a "Revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware.

Known to be active since at least 2016, the adversary was originally attributed to attacks targeting point-of-sale systems using malware such as PUNCHTRACK and BADHATCH. The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new bespoke implant called Sardonic, which was disclosed by Bitdefender in August 2021.

"The C++-based Sardonic backdoor has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs," Symantec said in a report shared with The Hacker News.

In the incident analyzed by Symantec, Sardonic is embedded into a PowerShell script that was deployed into the targeted system after obtaining initial access.

This is not the first time FIN8 has been detected using Sardonic in connection with a ransomware attack.

"The group's decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors' dedication to maximizing profits from victim organizations."

News URL

https://thehackernews.com/2023/07/fin8-group-using-modified-sardonic.html