FIN8 Evolves Tactics: Unleashing BlackCat Ransomware through Modified ‘Sardonic’ Backdoor

FIN8 Resurfaces with Revised Sardonic Backdoor and BlackCat Ransomware

The financially-motivated cybercrime group FIN8, also known as “Syssphinx,” has recently re-emerged after a period of inactivity. This time, the group is using a new version of its Sardonic backdoor to deliver the BlackCat ransomware. FIN8 has a history of constantly reinventing its malware arsenal, and the latest campaign is no exception. This group has previously targeted organizations across various industries, using tactics such as spear-phishing, social engineering, and living-off-the-land techniques to mask their activities.

Evolution of the Sardonic Backdoor

In the latest campaign, researchers at Symantec observed FIN8 deploying a new iteration of its old Sardonic backdoor. This new version appears to have been rewritten to avoid similarities with previously disclosed details, possibly to circumvent cybersecurity defenses that may have adapted to the original version. While the new Sardonic backdoor maintains similarity in appearance to the previous version, most of its code has been rewritten. This rewriting introduces new features, improvements, and enhanced obfuscation to make the malicious activities of the group harder to detect and analyze.

Some of the changes in the new Sardonic backdoor can be seen as direct responses to earlier research by Bitdefender on the first version. For example, flaws in RSA usage, as highlighted by Bitdefender, have been addressed in the new version by completely removing the public key scheme from the encryption. Similarly, issues with JSON encoding used to gather information about an infected system have been resolved by removing the command and associated problematic JSON implementation.

Despite some improvements, the researchers at Symantec also noted that certain changes in the new version have added complications to the backdoor logic, making it more challenging to analyze its behavior and message interpretation.

FIN8: A Group of Constantly Evolving Malware

FIN8 has been active since at least 2016 when it gained notoriety by compromising point-of-sale (PoS) systems at over 100 organizations. Over the years, the group has transitioned from credit-card data theft to ransomware attacks, indicating a diversification of their tactics to maximize profits.

The group has recently been observed using the BlackCat ransomware, developed by the group of the same name (aka ALPHV). Alongside its use of ransomware, FIN8 has dedicated significant effort to continually developing and improving its backdoor tools. The first known backdoor, “Badhatch,” was observed in 2019, followed by iterations in subsequent years, and finally, the introduction of the Sardonic backdoor in August 2021. The Sardonic backdoor, written in C++, includes command execution and credential harvesting capabilities, as well as a plugin system for downloading additional malware payloads.

Defending Against FIN8‘s Evolving Threat

Given FIN8‘s propensity for constantly evolving malware, organizations must adopt a defense-in-depth strategy. This strategy should include layered detection and protection tools, multifactor authentication (MFA), access controls, and one-time credentials for administrative work to prevent theft and misuse of admin credentials. Creating profiles of usage for admin tools can also help detect and prevent lateral movement by attackers within a network.

Conclusion

The resurgence of FIN8 and the deployment of a revised Sardonic backdoor highlight the ever-present threat of financially-motivated cybercrime groups. These groups adapt and evolve their tactics to bypass defenses and maximize their impact. It is crucial for organizations to remain vigilant, continuously update their security measures, and invest in robust cybersecurity solutions to mitigate such threats.