A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version.
Tracked as FIN8 (aka Syssphinx), this threat actor has been actively operating since at least January 2016, focusing on targeting industries such as retail, restaurants, hospitality, healthcare, and entertainment.
Since they were first spotted and tagged as a threat group by FireEye, FIN8 has been linked to many large-scale campaigns characterized by their sporadic nature. However, their attacks have impacted numerous organizations, leaving a footprint of hundreds of victims in their wake.
The arsenal employed by this threat actor is extensive, encompassing a wide range of tools and tactics, including POS malware strains like BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea, as well as the exploitation of Windows zero-day vulnerabilities and spear-phishing campaigns.
They’ve also switched from BadHatch to a C++-based backdoor known as Sardonic, which, according to Bitdefender security researchers who discovered it in 2021, can collect information, execute commands, and deploy additional malicious modules as DLL plugins.
Symantec’s Threat Hunter Team observed a revamped version of this backdoor deployed in December 2022 attacks, a variant that shares functionality with the version discovered by Bitdefender.
“However, most of the backdoor’s code has been rewritten, such that it gains a new appearance. Interestingly, the backdoor code no longer uses the C++ standard library and most of the object-oriented features have been replaced with a plain C implementation,” Symantec said.
“In addition, some of the reworkings look unnatural, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details. This goal seemed limited to just the backdoor itself, as known Syssphinx techniques were still used.”
Maximizing profits through ransomware
While their attacks’ end goal revolves around stealing payment card data from Point-of-Sale (POS) systems, FIN8 has expanded from point-of-sale to ransomware attacks to maximize profits.
For instance, according to Symantec, the gang was, for the first time, seen in June 2021 deploying ransomware (Ragnar Locker payloads) on the compromised systems of a financial services company in the United States.
Six months later, in January 2022, White Rabbit ransomware was also linked to FIN8 after researchers discovered links to the gang’s infrastructure when analyzing the ransomware’s deployment stage. Moreover, the Sardonic backdoor was also used during the White Rabbit ransomware attacks, further linking them to FIN8.
In a more recent development, Symantec also spotted FIN8 hackers deploying BlackCat (aka ALPHV) ransomware in the December 2022 attacks where the new Sardonic malware variant was used.
“Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection,” Symantec said.
“The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim organizations.”