FIN8 Modifies Sardonic Backdoor to Deliver BlackCat Ransomware

  /     /     /  
Publicated : 23/11/2024   Category : security


FIN8 Modifies Sardonic Backdoor to Deliver BlackCat Ransomware


The cybercrime group has given its backdoor malware a facelift in an attempt to evade detection, making some bug fixes and setting itself up to deliver its latest crimeware toy, BlackCat.



The threat actor FIN8 has resurged after a lull, using a revised version of its Sardonic backdoor to deliver the BlackCat ransomware. Its an evolution of its malware arsenal that fits the groups pattern of constant reinvention.
FIN8, which Symantec tracks as Syssphinx, is a well-known, financially-motivated cybercrime group, which in the past has indiscriminately targeted organizations across the chemicals, entertainment, finance, hospitality, insurance, retail, and technology industries.
Generally, it uses spear-phishing and social engineering to hook into targets, and
living-off-the-land tactics
to mask its malicious activities.
In the latest campaign, Symantec researchers observed FIN8 deploying a new iteration of its old
Sardonic backdoor, first reported back in 2021
by Bitdefender. The new Sardonic is bigger and different, though not necessarily improved across the board.
Some of the reworking looks unnatural, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details, the researchers wrote in
a report published July 18
.
Hackers might choose to rewrite their malware after its been outed, as Sardonic was in 2021, to skirt by the cybersecurity defenses that are attuned to it.
To that end, the new Sardonic backdoor is quite similar to the first, the researchers noted, however, most of the backdoors code has been rewritten, such that it gains a new appearance.
But its not merely change for changes sake. For example, the new version supports more plugin formats, expanding the attackers flexibility and capabilities.
Some of the changes do introduce new features or improvements, John-Paul Power, intelligence analyst at the Symantec Threat Hunter Team, tells Dark Reading — such as adding more obfuscation.
The revamped backdoor obfuscates some features that were easy to see in original C++-based Sardonic, he explains. For example, earlier version contains multiple strings in plaintext that are obfuscated now.
[Earlier] analysis also took advantage of certain metadata in the original samples to assist with their analysis, and these features were removed in the samples analyzed by us, he adds.
Some of the updates almost seem like a direct response to the early research from Bitdefender about the first version.
A few features criticized by Bitdefender were removed, Power says. For example, Bitdefender pointed out flaws in RSA usage. The sample analyzed by Symantec completely removes the public key scheme from the encryption.
In another example, Bitdefender pointed out issues with JSON encoding used by the command to gather information about an infected system. That command is removed together with the problematic JSON implementation, says Power.
Not all of the changes have been for the better, though. For example, Symantec researchers wrote in their blog this week, when sending messages over the network, the operation code specifying how to interpret the message has been moved after the variable part of the message, a change that adds some complications to the backdoor logic.
FIN8 has been around since at least
2016, when it burst onto the scene
by compromising point-of-sale (PoS) systems at more than 100 organizations. In years since, the group has dipped in and out of the spotlight, tweaking their tools each time around.
For example, around the turn of the decade, it transitioned from
harvesting credit-card data from PoS systems
to deploying ransomware, like
Ragnar Locker, developed by the cybercriminal gang Viking Spider
.
The Syssphinx groups move to ransomware suggests the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations, the researchers wrote on July 18. Lately, the group has been using
BlackCat ransomware, from the group of the same name
 (aka ALPHV).
FIN8 has seemingly spent even more time over the years working on its backdoors. Its first, Badhatch, was first observed in 2019, and the group iterated on it in each of the two years that followed. Sardonic followed in August 2021.
The C++-based malware came fitted with command execution and credential harvesting capabilities, plus a plugin system for downloading additional malware payloads as dynamic link libraries (DLLs).
To harden against FIN8s frequently changing malware, Power recommends a standard defense-in-depth strategy involving layered detection and protection tools, multifactor authentication (MFA), and access controls.
Organizations could also introduce one-time credentials for administrative work to help prevent theft and misuse of admin credentials, and create profiles of usage for admin tools. Many of these tools are used by attackers to move laterally undetected through a network, Power says.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
FIN8 Modifies Sardonic Backdoor to Deliver BlackCat Ransomware