Key Takeaways
What is Sardonic?
The backdoor was embedded indirectly into a PowerShell script that infected victim machines. The PowerShell script code deletes the script file, checks the architecture, and chooses a 32-bit or 64-bit version of an encoded .NET loader, as appropriate.
The .NET loader is decoded and loaded into the current process. The code then triggers the main functionality of the .NET loader. The .NET loader itself is an obfuscated .NET DLL containing two blobs, the injector, and the backdoor. The injector is in the form of shellcode and is used to start the backdoor in a newly created WmiPrvSE.exe process. The backdoor is also shellcode.Sardonic backdoor allows the threat actor to run up to 10 sessions leveraging cmd.exe or other interactive processes. It also uses multiple formats to extend its functionality. These include PE DLL plugins, shellcode plugins, and shellcode that passes arguments using another convention.
Who is Fin8?
IOCs
PolySwarm has multiple samples associated with this activity.
5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28
72fd2f51f36ba6c842fdc801464a49dce28bd851589c7401f64bbc4f1a468b1a
6cba6d8a1a73572a1a49372c9b7adfa471a3a1302dc71c4547685bcbb1eda432
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f Sardonic
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports