A financially motivated cybercrime gang has been noticed deploying BlackCat ransomware payloads on networks backdoored utilizing a revamped Sardonic malware model.
Tracked as FIN8 (aka Syssphinx), this menace actor has been actively working since a minimum of January 2016, specializing in concentrating on industries resembling retail, eating places, hospitality, healthcare, and leisure.
Since they have been first noticed and tagged as a menace group by FireEye, FIN8 has been linked to many large-scale campaigns characterised by their sporadic nature. Nonetheless, their assaults have impacted quite a few organizations, leaving a footprint of tons of of victims of their wake.
The arsenal employed by this menace actor is in depth, encompassing a variety of instruments and techniques, together with POS malware strains like BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea, in addition to the exploitation of Home windows zero-day vulnerabilities and spear-phishing campaigns.
They’ve additionally switched from BadHatch to a C++-based backdoor often known as Sardonic, which, in accordance with Bitdefender safety researchers who found it in 2021, can gather data, execute instructions, and deploy extra malicious modules as DLL plugins.
Symantec’s Menace Hunter Crew noticed a revamped model of this backdoor deployed in December 2022 assaults, a variant that shares performance with the model found by Bitdefender.
“Nonetheless, many of the backdoor’s code has been rewritten, such that it positive aspects a brand new look. Curiously, the backdoor code now not makes use of the C++ normal library and many of the object-oriented options have been changed with a plain C implementation,” Symantec stated.
“As well as, among the reworkings look unnatural, suggesting that the first purpose of the menace actors may very well be to keep away from similarities with beforehand disclosed particulars. This purpose appeared restricted to simply the backdoor itself, as recognized Syssphinx strategies have been nonetheless used.”
Maximizing earnings by means of ransomware
Whereas their assaults’ finish purpose revolves round stealing cost card information from Level-of-Sale (POS) methods, FIN8 has expanded from point-of-sale to ransomware assaults to maximise earnings.
For example, in accordance with Symantec, the gang was, for the primary time, seen in June 2021 deploying ransomware (Ragnar Locker payloads) on the compromised methods of a monetary companies firm in america.
Six months later, in January 2022, White Rabbit ransomware was additionally linked to FIN8 after researchers found hyperlinks to the gang’s infrastructure when analyzing the ransomware’s deployment stage. Furthermore, the Sardonic backdoor was additionally used in the course of the White Rabbit ransomware assaults, additional linking them to FIN8.
In a more moderen growth, Symantec additionally noticed FIN8 hackers deploying BlackCat (aka ALPHV) ransomware within the December 2022 assaults the place the brand new Sardonic malware variant was used.
“Syssphinx continues to develop and enhance its capabilities and malware supply infrastructure, periodically refining its instruments and techniques to keep away from detection,” Symantec stated.
“The group’s choice to develop from point-of-sale assaults to the deployment of ransomware demonstrates the menace actors’ dedication to maximizing earnings from sufferer organizations.”
