A familiar gang continues its evolution into a ransomware shop.
FIN8 reworked its Sardonic backdoor and seems to have shifted focus to ransomware.
The Symantec Threat Hunter Team (STHT), part of Broadcom, has released a report detailing a new variant of the Sardonic backdoor associated with the cybercriminal gang Syssphinx (aka FIN8). This new variant is meant to deliver the Noberus ransomware.
Tooling for ransomware.
The Syssphinx tool was discovered in 2022, when it was discovered delivering White Rabbit ransomware. Symantec explained that FIN8’s shift towards ransomware was observed in 2021 after the gang infected several compromised systems in the financial sector with the Ragnar ransomware. Symantec writes, “The Syssphinx group’s move to ransomware suggests the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations.” Symantec explains that the cybercrime gang has revised their tools, noting mainly that the newly reworded backdoor has been rewritten in C, as opposed to its previous version which was written in C++. Additionally, the new backdoor variant looks to be embedded indirectly into a PowerShell Script, which differs from its previous version in which it “featured an intermediate downloader shellcode that downloads and executes the backdoor.”
FIN8’s criminal value proposition.
Symantec concludes its report with a snapshot of FIN8. “Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection. The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim organizations. The tools and tactics detailed in this report serve to underscore how this highly skilled financial threat actor remains a serious threat to organizations.” Jon Miller, CEO and Co-founder of Halcyon, thinks that FIN8’s shift to ransomware is hardly surprising considering the group’s criminal background and financial motivations, “The assessment that cybercriminal group FIN8 is now dabbling in ransomware is not surprising – they are financially motivated, and ransomware is a big money maker. Their operation does underscore a few things worth noting. First, ransomware operations and other network intrusion operations with the intent to harvest data to be used for financial theft and fraud are not altogether different animals.”
Is FIN8 a significant threat to organizations?
The question looms: is this shift in tactics going to pose a significant threat to organizations? Miller thinks they are. “The fact that FIN8 includes POS malware in their repertoire in addition to the highly advanced BlackCat/ALPHV ransomware payload should be of particular concern to retailers, as the targeting of POS systems has the potential to severely impact retail operations.” James McQuiggan, security awareness advocate at KnowB4, maintains that ransomware is always a top threat to companies, and uses FIN8’s recent attack to solidify his assessment. He writes:
“FIN8's BlackCat campaign clarifies that ransomware remains a top threat to all organizations. Organizations need to continue utilizing technology to bolster security along with security awareness and education to their users.
“As sophisticated cybercriminals like FIN8 constantly update their tactics, techniques, and procedures, cybersecurity professionals must ensure they are utilizing continuous monitoring, automation, AI-enabled analytics, and a robust security awareness program to reduce their organizational cyber risk.
“Effectively combating today's stealthy, financially-driven attackers requires a resilient security culture centered on least-privilege access, frequent assessments and training, and top-down team collaboration. Leadership must prioritize cybersecurity, providing adequate budget and integrating it into strategic decisions across the enterprise.”