The notorious cybercrime group FIN8, also known as Syssphinx, has made a comeback with a new version of its Sardonic backdoor. This time, the group has utilized the backdoor to deliver the BlackCat ransomware. FIN8 is known for its constant reinvention and financially-motivated attacks on organizations in various industries such as finance, entertainment, retail, and more.
Typically, FIN8 employs spear-phishing and social engineering tactics to gain access to its targets. The group also utilizes living-off-the-land techniques to mask its malicious activities and evade detection from cybersecurity defenses. In their latest campaign, Symantec researchers observed FIN8 using an updated version of the Sardonic backdoor, which was first reported by Bitdefender in 2021. While the new version of Sardonic is larger and different from its predecessor, it is not necessarily an improvement in all aspects.
According to the researchers, some of the modifications made to the backdoor appear unnatural and suggest that the primary goal of the threat actors is to avoid similarities with previously disclosed details. This strategy allows FIN8 to bypass cybersecurity defenses that are familiar with the older version of the backdoor. The new Sardonic backdoor maintains similarities with its predecessor but has had most of its code rewritten, giving it a new appearance.
The updated version of the backdoor includes support for more plugin formats, enhancing the attackers’ flexibility and capabilities. It also introduces new features and improvements, such as additional obfuscation. The revamped backdoor obfuscates certain features that were previously easily detected in the original C++-based Sardonic. For instance, multiple strings in plaintext that were previously present in the code are now obfuscated. The backdoor also removes features that were criticized in the earlier version, such as flaws in RSA usage.
However, not all changes made to the backdoor are beneficial. The researchers noted that the operation code specifying how to interpret messages sent over the network has been moved after the variable part of the message, adding complications to the backdoor’s logic.
FIN8 has a history of constantly evolving its malware. The group first appeared in 2016 when it compromised point-of-sale systems at over 100 organizations. Over the years, FIN8 has transitioned from harvesting credit-card data to deploying ransomware like Ragnar Locker. The recent move to ransomware suggests that the threat actors are diversifying their focus to maximize profits from compromised organizations. The group is currently using BlackCat ransomware, developed by the group with the same name, ALPHV.
In addition to its evolving malware, FIN8 has spent considerable time developing its backdoors. The first version, named “Badhatch,” was observed in 2019, followed by iterations in the subsequent years. Sardonic, the latest backdoor, was introduced in August 2021. This C++-based malware comes equipped with command execution and credential harvesting capabilities, as well as a plugin system for downloading additional malware payloads.
To defend against the ever-changing tactics of FIN8, experts recommend a comprehensive defense-in-depth strategy. This includes implementing layered detection and protection tools, multifactor authentication (MFA), and access controls. Organizations can also introduce one-time credentials for administrative work to prevent theft and misuse of admin credentials. It is crucial to create profiles of usage for admin tools as they are often exploited by attackers to move undetected through a network.
As FIN8 continues to evolve and refine its attack methods, it is crucial for organizations to stay vigilant and employ robust cybersecurity measures to protect their sensitive data and systems. Cybersecurity professionals and researchers will need to remain proactive in their efforts to detect and mitigate the threats posed by this persistent cybercrime group.