ATM / POS Fraud , Fraud Management & Cybercrime , Fraud Risk Management

Fin8 Using an Updated Backdoor

Bitdefender: Group Targets 2 Financial Institutions After a Long Layoff
Fin8 Using an Updated Backdoor
A look at how the Badhatch backdoor morphed into Sardonic (Source: Bitdefender)

Security firm Bitdefender has conducted a forensic analysis of a new backdoor, dubbed Sardonic, used by the financially motivated threat group Fin8 in recent attacks against two unidentified financial organizations.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Sardonic is an updated version of Fin8's previous backdoor called Badhatch that apparently is still under development, Bitdefender says. The gang's usual goal is attacking point-of-sale systems to obtain credit card information or as a general infostealer.

"The Sardonic backdoor is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components," Bitdefender's report says.

Unlike Badhatch, Sardonic can be automatically enriched with new functionality without having to redeploy malware. So, Fin8 apparently is adopting a more agile posture to cyberattacks, says Bogdan Botezatu, director of threat research for Bitdefender

Bitdefender says it has spotted FIN8 waging two attacks in the past few months. "This is an unusually high activity for a threat actor that used to take long breaks between attacks," Botezatu says.

Fin8 apparently spent several months building and testing the new backdoor before using it in the attacks, Botezatu says. Bitdefender analyzed one of those attacks.

The report did not identify when or where the attacks took place.

Fin8's History

Fin8, which has been active since 2016, typically attempts to compromise companies in the financial, insurance, retail, hospitality, technology and chemical industries, Bitdefender says. The gang has waged attacks in the U.S., Canada, South Africa, Puerto Rico, Panama and Italy over the past year, the security firm says.

Fin8 has targeted financial services and POS systems primarily through "living off the land" attacks - using built-in tools and interfaces, such as PowerShell or WMI, and abusing legitimate services, such as, to disguise their activity, Bitdefender says.


Bitdefender identified Fin8 updating Badhatch in December 2020 and again in January, creating Sardonic, which is version 2.14 of the malware.

"Sardonic is a much more flexible backdoor than Badhatch as it can deploy other payloads to the already compromised computer, which saves extra effort in re-infecting existing victims, should the threat group choose to take a different approach," Botezatu says. "The Sardonic backdoor also seems to be under significant development, and future versions could bring the group new capabilities."

The maturation of Badhatch into Sardonic (Source: Bitdefender)

In a recent attack on an unidentified financial institution that Bitdefender analyzed, Fin8 used a .NET binary to load a shellcode containing the malware into memory. Once loaded, the embedded dynamic link library obtained the value of the Y1US environment variable and extracted the string that contained options for behavior customization so it could make changes, Bitdefender says.

Fin8 then used its access to scan for victim networks, provide attackers with remote access, install a backdoor, and deliver other malware payloads. One primary target has been POS systems, with the goal of obtaining credit card and other financial information, according to the security firm Morphisec.

When Fin8 Attacks

Bitdefender's researchers are unsure exactly how FIN8 gains initial access to its victims' networks. But they say there's some evidence that social engineering and spear-phishing attacks may have been used.

In Fin8 attacks Bitdefender has previously studied that took place before the release of Sardonic, researchers saw user accounts were compromised - with the evidence of compromise first appearing on one of the database servers. Once the malware was on the network, the attackers engaged in network reconnaissance and used their access to retrieve a list of trusted domains and a list of domain controllers, the researchers said

The next step was moving laterally by targeting domain controllers and the malware used the built-in Windows Management Interface Command utility for remote code execution.

Defensive Measures

Bitdefender recommends that organizations take the following actions to minimize the impact of this malware:

  • Separate the POS network from networks used by employees or guests;
  • Introduce cybersecurity awareness training for employees to help them spot phishing e-mails;
  • Tune the e-mail security solution to automatically discard malicious or suspicious attachments;
  • Integrate threat intelligence into existing SIEM or security controls for relevant indicators of compromise.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.