1. Home
  2. Software
  3. Sardonic

Sardonic

Sardonic is a backdoor written in C and C++ that is known to be used by FIN8, as early as August 2021 to target a financial institution in the United States. Sardonic has a plugin system that can load specially made DLLs and execute their functions.[1][2]

ID: S1085
Type: MALWARE
Platforms: Windows
Contributors: Serhii Melnyk, Trustwave SpiderLabs
Version: 1.0
Created: 05 September 2023
Last Modified: 04 October 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Sardonic can use WMI to execute PowerShell commands on a compromised machine.[1]
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

Sardonic can use a WMI event filter to invoke a command-line event consumer to gain persistence.[1]
Enterprise T1005 从本地系统获取数据

Sardonic has the ability to collect data from a compromised machine to deliver to the attacker.[2]

Enterprise T1573 .001 加密通道: Symmetric Cryptography

Sardonic has the ability to use an RC4 key to encrypt communications to and from actor-controlled C2 servers.[1]
.002 加密通道: Asymmetric Cryptography

Sardonic has the ability to send a random 64-byte RC4 key to communicate with actor-controlled C2 servers by using an RSA public key.[1]
Enterprise T1620 反射性代码加载

Sardonic has a plugin system that can load specially made DLLs into memory and execute their functions.[1][2]
Enterprise T1140 反混淆/解码文件或信息

Sardonic can first decrypt with the RC4 algorithm using a hardcoded decryption key before decompressing.[2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Sardonic has the ability to execute PowerShell commands on a compromised machine.[1]
.003 命令与脚本解释器: Windows Command Shell

Sardonic has the ability to run cmd.exe or other interactive processes on a compromised computer.[2]
Enterprise T1132 .001 数据编码: Standard Encoding

Sardonic can encode client ID data in 32 uppercase hex characters and transfer to the actor-controlled C2 server.[1]
Enterprise T1106 本机API

Sardonic has the ability to call Win32 API functions to determine if powershell.exe is running.[1]

Enterprise T1027 混淆文件或信息

Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string.[2]
.010 Command Obfuscation

Sardonic PowerShell scripts can be encrypted with RC4 and compressed using Gzip.[1]
Enterprise T1070 移除指标

Sardonic has the ability to delete created WMI objects to evade detections.[1]
Enterprise T1082 系统信息发现

Sardonic has the ability to collect the computer name, CPU manufacturer name, and C:\ drive serial number from a compromised machine. Sardonic also has the ability to execute the ver and systeminfo commands.[1]
Enterprise T1007 系统服务发现

Sardonic has the ability to execute the net start command.[1]
Enterprise T1049 系统网络连接发现

Sardonic has the ability to execute the netstat command.[1]
Enterprise T1016 系统网络配置发现

Sardonic has the ability to execute the ipconfig command.[1]
Enterprise T1135 网络共享发现

Sardonic has the ability to execute the net view command.[1]
Enterprise T1105 输入工具传输

Sardonic has the ability to upload additional malicious files to a compromised machine.[1]
Enterprise T1057 进程发现

Sardonic has the ability to execute the tasklist command.[1]
Enterprise T1055 .004 进程注入: Asynchronous Procedure Call

Sardonic can use the QueueUserAPC API to execute shellcode on a compromised machine.[2]
Enterprise T1095 非应用层协议

Sardonic can communicate with actor-controlled C2 servers by using a custom little-endian binary protocol.[1]
Enterprise T1571 非标准端口

Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.[1]

Groups That Use This Software

ID Name References
G0061 FIN8

[1][2]

References

  1. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  1. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.