- Aug 17, 2014
The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware.
According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. The intrusion attempt took place in December 2022.
"The C++-based Sardonic backdoor has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs," Symantec said in a report shared with The Hacker News.
In the incident analyzed by Symantec, Sardonic is embedded into a PowerShell script that was deployed into the targeted system after obtaining initial access. The script is designed to launch a .NET loader, which then decrypts and executes an injector module to ultimately run the implant. "The purpose of the injector is to start the backdoor in a newly created WmiPrvSE.exe process," Symantec explained. "When creating the WmiPrvSE.exe process, the injector attempts to start it in session-0 (best effort) using a token stolen from the lsass.exe process."