FIN8 (aka Syssphinx) has been observed in a new campaign using newly developed tools and tactics. According to a blog posted by Symantec’s Threat Hunter Team, FIN8 is utilizing a modified version of the Sardonic backdoor to deliver the Noberus ransomware.
Active since at least January 2016, this group is known for taking large breaks to improve its tactics, techniques, and procedures (TTPs). Initially specializing in point-of-sale (POS) attacks, the group has expanded its operations in recent years to include various ransomware threats.
Although FIN8 tends to change their TTPs, they have been known to employ spear-phishing for initial access and live-off-the-land (LotL) tactics to avoid detection. Primarily focusing on financially motivated cybercrimes, they tend to target organizations in sectors such as:
- Hospitality
- Retail
- Entertainment
- Insurance
- Technology
- Chemicals
- Finance
Some of the major changes from this group over the years include the following TTPs:
- June 2021: FIN8 was found deploying the Ragnar Locker ransomware.
- January 2022: White Rabbit ransomware was linked to FIN8, with the attacks employing a variant of the Sardonic backdoor.
- December 2022: Symantec identified attempts by the group to distribute the Noberus, aka BlackCat (ALPHV), ransomware. Noberus is operated by another financially motivated cybercrime group known as Coreid (aka Blackmatter, Carbon Spider, FIN7).
The recent attack campaign revealed that FIN8 had made significant modifications to the Sardonic backdoor, previously analyzed by Bitdefender in 2021. According to Symantec, the new Sardonic backdoor uses primarily C code instead of C++ to reduce detection and change TTPs to avoid attribution.
A major change with this variation is the initial PowerShell script used to infect the system now includes an obfuscated .NET DLL which is a loader that contains the injector and backdoor payloads. In past FIN8 attacks, a downloader has been used to obtain these payloads. The backdoor in this variation can handle up to ten sessions at a time, each of which can steal a process token from a chosen process ID to avoid detection.
FIN8 remains an active and evolving threat group, continuously refining its capabilities and techniques to avoid detection and expand their impact, showcasing their commitment to maximizing profits. Organizations must stay vigilant and employ up-to-date protection measures to defend against this highly skilled threat actor.
To stay up to date on all APG intel, follow them on Twitter and Reddit.