FIN8 Adapts Tactics: Deploys BlackCat Ransomware via Modified Sardonic Backdoor: The financially motivated threat group FIN8 has evolved its tactics by using a modified version of the Sardonic backdoor to deliver the BlackCat ransomware.
This strategic shift by the group aims to diversify its focus and increase profits from targeted entities. Symantec’s Threat Hunter Team has identified this development, shedding light on FIN8’s ongoing evolution as a significant cyber threat.
Key takeaways FIN8 Adapts Tactics: Deploys BlackCat Ransomware via Modified Sardonic Backdoor:
Table of Contents
- FIN8, also known as Syssphinx, has expanded its operations to include ransomware attacks, moving beyond its previous focus on point-of-sale (PoS) systems.
- The group has modified the Sardonic backdoor, a C++-based implant capable of executing commands and loading additional malware payloads.
- By leveraging this new approach, FIN8 demonstrates its commitment to refining techniques, evading detection, and maximizing profits from victim organizations.
The financially motivated threat group FIN8, identified as Syssphinx by cybersecurity experts, has recently adopted a fresh strategy, leveraging a revamped version of the Sardonic backdoor to distribute the BlackCat ransomware.
This evolution in FIN8’s activities signifies their intent to expand their criminal endeavors and optimize financial gains through targeted attacks.
Evolution of FIN8: From PoS Attacks to Ransomware
Having been active since 2016, FIN8 initially gained notoriety for its attacks on point-of-sale (PoS) systems, utilizing malware like PUNCHTRACK and BADHATCH.
After a period of relative inactivity, the group resurfaced in March 2021 with an updated version of BADHATCH and later introduced the Sardonic backdoor in August 2021, as disclosed by Bitdefender.
Modified Sardonic Backdoor: A Sophisticated Implant
The Sardonic backdoor, developed in C++, possesses extensive capabilities, including system information gathering, command execution, and the loading of additional malware payloads in the form of DLLs.
In its latest iteration, FIN8 has made significant modifications to the source code, rewriting it in C and deliberately obscuring any similarities with the previous version to avoid detection.
Attack Analysis: Sardonic as the Initial Access Vector
In the analyzed incident, FIN8 deploys the Sardonic backdoor through a PowerShell script, which is injected into the compromised system upon gaining initial access.
This script initiates a .NET loader responsible for decrypting and executing an injector module, ultimately launching the Sardonic implant.
The injector’s objective is to start the backdoor within a newly created WmiPrvSE.exe process, utilizing a stolen token from the lsass.exe process.
Advanced Capabilities and Features
Sardonic not only enables the threat actor to execute malicious commands through up to 10 interactive sessions on the infected host, but it also supports three plugin formats for executing additional DLLs and shellcode.
The backdoor offers functionalities such as dropping arbitrary files and exfiltrating sensitive data from the compromised machine to infrastructure controlled by the threat actor.
FIN8’s Shifting Tactics: Expanding into Ransomware
This is not the first time that FIN8 has employed the Sardonic backdoor in conjunction with ransomware attacks.
In a previous instance, the group was discovered utilizing the White Rabbit ransomware, which is based on the Sardonic implant. FIN8’s decision to broaden its scope from PoS attacks to ransomware highlights the group’s commitment to maximizing profits from targeted organizations.
Conclusion
The detection of FIN8’s utilization of a modified Sardonic backdoor for BlackCat ransomware distribution underscores the group’s adaptability and persistent efforts to refine its capabilities and evade detection.
As FIN8 expands its attack landscape to include ransomware, it is crucial for organizations to remain vigilant and enhance their security measures to mitigate the evolving threats posed by this financially motivated threat actor.
