The cybercrime group FIN8, known for financially motivated attacks, has recently updated its malicious software toolkit. The Symantec Threat Hunter Team reported in December 2022 that FIN8 is now deploying BlackCat ransomware through an upgraded version of their Sardonic backdoor.
Analysis of the Sardonic Variant: Experts have found that FIN8 continuously enhances their malware and distribution infrastructure. The latest Sardonic variant introduces a significant change: it now uses a PowerShell script for infection, a departure from its previous approach of utilizing intermediary downloader shellcode. Notably, this variant has moved away from the C++ standard library, favoring a simpler C language implementation. This change includes various methods to evade detection. The backdoor is versatile, supporting three different formats to augment its functions: PE DLL plugins, shellcode, and a unique shellcode with a different argument-passing convention. Upon activation, this backdoor can execute numerous commands, such as downloading new files, extracting file contents, managing DLL plugins, and executing shellcode.
With the integration of PowerShell in their updated backdoor, FIN8 aims to breach security systems more effectively and spread ransomware, thereby increasing their illicit profits. This isn’t their first venture into ransomware deployment.
Other Ransomware Deployments by FIN8: Although FIN8 primarily targets Point-of-Sale (POS) systems, they have expanded to ransomware attacks in recent years. In January 2022, they were linked to deploying White Rabbit ransomware through a malicious link. In June 2021, they used Ragnar Locker ransomware to attack a financial services company in the U.S.
Conclusion: Security professionals recommend that organizations employ a combination of detection, protection, and system hardening technologies to defend against these threats. Additionally, they should monitor network activity and be vigilant about the latest versions of PowerShell used in their systems.