Ransomware, Malware, Threat Management

FIN8 retools backdoor malware to avoid detection

The FIN8 hacking group has been observed deploying a revamped version of the Sardonic backdoor malware as it intensifies its focus on ransomware attacks.

FIN8 has been active since at least January 2016 and has a reputation for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemicals, and finance sectors.

While the actor initially specialized in point-of-sale (POS) attacks, over the past few years it has been observed using a number of ransomware threats in its attacks.

In a research post published Tuesday, Symantec’s Threat Hunter Team reported that the group, which it tracks under the name Syssphinx, was observed deploying a new variant of the Sardonic backdoor malware to deliver BlackCat ransomware (also known as ALPHV and Noberus). Social engineering and spear-phishing are two of the group’s preferred methods for initial compromise.

“The group is known for utilizing so-called living-off-the-land tactics, making use of built-in tools and interfaces such as PowerShell and WMI (Windows Management Instrumentation), and abusing legitimate services to disguise its activity,” the researchers wrote.

The group’s expansion into ransomware “suggests the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations,” they said.

FIN8 was first observed using ransomware in its attacks in June 2021. In January 2022, the White Rabbit ransomware family was linked to the group, and in December 2022 Symantec observed FIN8 deploying BlackCat ransomware.

Like many cybercriminal groups FIN8 — believed to be based in Eastern Europe’s Commonwealth of Independent States region — is known for taking extended breaks between attack campaigns, using the time to improve its tactics, techniques, and procedures. 

That practice is demonstrated in the way it has evolved the use of backdoor malware over recent years. In 2019, it used the Badhatch backdoor, which it updated in December 2020 and again in January 2021. Then in 2021, Bitdefender researchers linked a newer backdoor, Sardonic, to the group.

Symantec said the most recent attack it observed in December 2022 saw FIN8 leverage a “reworked” version of Sardonic where “most of the backdoor’s features have been altered to give it a new appearance.”

Why revamp the backdoor?

The Sardonic backdoor, written in C++, is capable of harvesting system information and executing commands, and has a plugin system designed to load and execute additional malware payloads that are delivered as dynamic link libraries (DLLs). 

The revamped version of Sardonic used by FIN8 in the December 2022 attack shares several features with the earlier version discovered by Bitdefender, although most of the code had been rewritten, possibly for obfuscation purposes.

“Interestingly, the backdoor code no longer uses the C++ standard library and most of the object-oriented features have been replaced with a plain C implementation,” the researchers said.

“In addition, some of the reworkings look unnatural, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details.”

An example of the changes made in the new version of Sardonic: when messages were sent over the network, the operation code specifying how to interpret them had been moved to after the variable part of the message, “a change that adds some complications to the backdoor logic,” Symantec said.

Overall, the lengths FIN8 had gone to as it changed and refined its TTPs “underscore how this highly skilled financial threat actor remains a serious threat to organizations,” the researchers concluded.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.