Posted on Leave a comment

Sardonic Backdoor Targeting Financial Institutions.

Romanian cybersecurity technological company Bitdefender dubbed the previously unsuccessful malware Sardonic, which it found in a forensic investigation following a failed FIN8 attack against a unnamed financial institution located in the United States.


Bitdefender researchers Educard Budaca and Victor Vrabie reported that,  “Sardonic backdoor is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components,” .

Researchers also observed that this malware mainly focused on the retail, hospitality and entertainment industries and has deployed a new backdoor on infected systems to indicate that operators are continuously reworking on their malware techniques to bypass detections.

Source: Bitdefender

Once in the network, the attackers began with network reconnaissance, obtaining information about the domain (users, domain controllers) and continued with lateral movement and privilege escalation. In addition to the use of WMIExec, which we reported earlier, we found traces of SMBExec from the same toolset (Impacket), along with, of course, the offensive features of their signature backdoor, BADHATCH.” reads the blogpost.

Researchers also observed that this specific threat actor maintains the persistence in the compromised machine and conducts recon activities, executes arbitrary commands, and executes additional plugins which will be exfiltrated to external C&C servers.

Indicators Of Compromise
Domains
api-cdn[.]net
git-api[.]com
api-cdnw5[.]net
104-168-237-21.sslip[.]io
89.45.4[.]192
URLs
https://104-168-237-21.sslip[.]io/134af6
https://104-168-237-21.sslip[.]io/edaea0


Hashes
ede6ca7c3c3aedeb70e8504e1df70988263aab60ac664d03995bce645dff0935
5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28
4e73e9a546e334f0aee8da7d191c56d25e6360ba7a79dc02fe93efbd41ff7aa4
05236172591d843b15987de2243ff1bfb41c7b959d7c917949a7533ed60aafd9
edfd3ae4def3ddffb37bad3424eb73c17e156ba5f63fd1d651df2f5b8e34a6c7
827448cf3c7ddc67dca6618f4c8b1197ee2abe3526e27052d09948da2bc500ea
0e11a050369010683a7ed6a51f5ec320cd885128804713bb9df0e056e29dc3b0
0980aa80e52cc18e7b3909a0173a9efb60f9d406993d26fe3af35870ef1604d0
64f8ac7b3b28d763f0a8f6cdb4ce1e5e3892b0338c9240f27057dd9e087e3111
2d39a58887026b99176eb16c1bba4f6971c985ac9acbd9e2747dd0620548aaf3
8cfb05cde6af3cf4e0cb025faa597c2641a4ab372268823a29baef37c6c45946
72fd2f51f36ba6c842fdc801464a49dce28bd851589c7401f64bbc4f1a468b1a
6cba6d8a1a73572a1a49372c9b7adfa471a3a1302dc71c4547685bcbb1eda432


Filenames
sldr.ps1


WMI objects

root/cimv2:Win32_Base64Class
root/subscription:PerfOs
root/subscription:PerfData
root/subscription:PerfOsOnce
Unnamed object in root/subscription, class “__FilterToConsumerBinding”, filter value “__eventfilter.
name=’PerfOs’”
Unnamed object in root/subscription, class “__FilterToConsumerBinding”, filter value “__eventfilter.
name=’PerfOsOnce’”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply