Sardonic

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal personal information, or even hold data for ransom. Notably, Sardonic was associated with the cybercrime group FIN8, which has used it as a primary capability in their attack infrastructure. They deployed the malware using PowerShell scripts, often transferring the Sardonic backdoor over HTTP/S or emailing it as a compressed attachment for both infiltration and lateral movement within targeted systems. The malware has since been revamped, maintaining many of its original characteristics but also evolving to avoid detection practices designed for the initial version. This updated variant of Sardonic shares features with the original C++-based backdoor analyzed by Bitdefender but is written in C, demonstrating increased flexibility and capabilities for the hackers. Investigations have uncovered that FIN8 has resurfaced online using this revised version of Sardonic to launch BlackCat ransomware attacks, further expanding its threat potential. Security researchers have also observed another group, known as Syssphinx, deploying a variant of the Sardonic backdoor to deliver Noberus ransomware. However, this variant has been altered to obfuscate its origins, complicating efforts to track and mitigate these cyber threats. Despite these challenges, SafeBreach and other cybersecurity firms continue to monitor and analyze Sardonic and its variants, working to provide effective defenses against these persistent and evolving cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Ransomware
Malware
Cybercrime
Lateral_move...
Bitdefender
Implant
Infiltration
Symantec
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BADHATCHUnspecified
1
Badhatch is a backdoor malware that has been in use since 2019, primarily by the cybercriminal group known as Syssphinx. The malware is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without the user's knowledge. Once inside
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FIN8Unspecified
5
FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
SyssphinxUnspecified
3
Syssphinx, also known as FIN8, is a threat actor that has been active since 2016. This group is known for taking extended breaks between attack campaigns to refine its tactics, techniques, and procedures (TTPs). For instance, Syssphinx had used backdoor malware called Badhatch in attacks since 2019,
AlphvUnspecified
3
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
NoberusUnspecified
3
Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr
White RabbitUnspecified
2
White Rabbit is a notable threat actor in the cybersecurity landscape, known for its malicious activities and association with other prominent hacking groups. The group's name, derived from the character in Alice's Adventures in Quantum Wonderland, signifies its unique approach to cyber attacks. In
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sardonic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
4 months ago
EquiLend Employee Data Breached After January Ransomware Attack | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
LockBit Ransomware Gang Returns, Taunts FBI and Vows Data Leaks
Recorded Future
6 months ago
What is the Diamond Model of Intrusion Analysis?
CERT-EU
a year ago
Jordan's free speech boundaries tested with satire
CERT-EU
a year ago
The Week in Security: Google Cloud Build permissions can be poisoned, WormGPT weaponizes AI
CERT-EU
a year ago
Financial cybercrime syndicate deploys reworked backdoor malware
Securityaffairs
a year ago
FIN8 Group spotted delivering the BlackCat Ransomware
CERT-EU
a year ago
Akira Ransomware, 8Base Ransomware, and more: Hacker’s Playbook Threat Coverage Round-up: August 22, 2023
CERT-EU
8 months ago
Hive Ransomware Resurfaces as Hunters International, Bitdefender Claim
CERT-EU
a year ago
Citrix NetScaler attacks linked to a ransomware campaign
CERT-EU
10 months ago
This Week In Security: Looney Tunables, Not A 0-day*, And Curl Warning
CERT-EU
a year ago
Cyber Security Today, July 19, 2023 – The Sturmous ransomware group is back, a ransomware gang adds a new backdoor, and more | IT World Canada News
CERT-EU
a year ago
Cyber Security Week In Review: July 21, 2023
MITRE
7 months ago
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
CERT-EU
a year ago
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware – Cyber Security Review
DARKReading
a year ago
FIN8 Modifies 'Sardonic' Backdoor to Deliver BlackCat Ransomware
CERT-EU
a year ago
FIN8 uses updated backdoor to deploy BlackCat ransomware
CERT-EU
a year ago
FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks