A new variant of the Sardonic backdoor associated with the cybercriminal gang Syssphinx (also known as FIN8) has been identified by the Symantec Threat Hunter Team (STHT), which is part of Broadcom. This variant is specifically designed to deliver the Noberus ransomware.
The Syssphinx tool was initially discovered in 2022, when it was found to be delivering the White Rabbit ransomware. According to Symantec, FIN8’s shift towards ransomware was observed in 2021 after the gang infected several compromised systems in the financial sector with the Ragnar ransomware. Symantec suggests that this shift in tactics may indicate the gang’s desire to maximize profits from compromised organizations.
Symantec’s report highlights that the cybercrime gang has made revisions to their tools. The newly reworded backdoor has been rewritten in C, whereas its previous version was written in C++. Additionally, the new backdoor variant appears to be indirectly embedded into a PowerShell Script, which differs from the previous version that featured an intermediate downloader shellcode.
In conclusion, Symantec underscores the ongoing development and improvement of FIN8’s capabilities and malware delivery infrastructure. The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates their dedication to maximizing profits from victim organizations. This suggests that FIN8 remains a serious threat to organizations.
Joe Miller, CEO and Co-founder of Halcyon, commented on FIN8’s shift to ransomware, stating that it is not surprising considering the group’s financial motivations. Miller emphasizes that ransomware operations and network intrusion operations with the intent to harvest data for financial theft and fraud are not fundamentally different.
The question arises as to whether FIN8’s shift in tactics poses a significant threat to organizations. Miller believes they do, particularly for retailers. The inclusion of POS malware in FIN8’s repertoire, along with the advanced BlackCat/ALPHV ransomware payload, has the potential to severely impact retail operations. James McQuiggan, security awareness advocate at KnowB4, affirms that ransomware is always a top threat to companies. He uses FIN8’s recent attack as evidence to support this assessment.
McQuiggan suggests that organizations must continue to utilize technology to enhance security, along with implementing security awareness and education programs for their users. As cybercriminals like FIN8 constantly update their tactics, cybersecurity professionals must prioritize continuous monitoring, automation, AI-enabled analytics, and a robust security awareness program to reduce organizational cyber risk. A resilient security culture centered on least-privilege access, frequent assessments and training, and top-down team collaboration is essential for effectively combating financially-driven attackers.
In summary, the emergence of a new variant of the Sardonic backdoor associated with FIN8 highlights their ongoing efforts to maximize profits through ransomware attacks. Organizations, particularly those in the retail sector, should be concerned about the potential impact on their operations. Continued investment in technology, security awareness, and collaboration is crucial in mitigating the threat posed by cybercriminals like FIN8.