A financially motivated actor known as FIN8 has been observed using an “improved” version of the backdoor. ironic Delivers BlackCat ransomware.
According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt to diversify the focus on the part of electronic crime groups and maximize profits from infected organizations. The break-in attempt he took place in December 2022.
FIN8 is tracked by a cybersecurity firm under the name Syssphinx. This actor has been known to have been active since at least 2016, when he was initially responsible for attacks targeting point-of-sale (PoS) systems using malware such as PUNCHTRACK and BADHATCH. It was thought.
The group resurfaced over a year later in an updated version of BADHATCH in March 2021, followed by an all-new bespoke implant called Sardonic, which was unveiled by Bitdefender in August 2021. .
“The C++-based Sardonic backdoor has the ability to collect system information and execute commands, and has a plugin system designed to load and execute additional malware payloads provided as DLLs.” Symantec said in a report shared with The Hacker News.
Unlike previous variants designed in C++, the latest iteration has undergone significant changes, with most of the source code rewritten in C and modified to intentionally avoid similarities.
In the incidents analyzed by Symantec, Sardonic was embedded in PowerShell scripts that were deployed on affected systems after initial access was obtained. This script is designed to launch the .NET loader, which then decrypts and executes the injector module and finally the implant.
“The purpose of the injector is to start a backdoor in a newly created WmiPrvSE.exe process,” explained Symantec. “When creating a WmiPrvSE.exe process, the injector attempts to start the process in session 0 (best effort) using a token stolen from her lsass.exe process.”
In addition to supporting up to 10 interactive sessions on an infected host to allow threat actors to execute malicious commands, Sardonic has three different scripts for executing additional DLLs and shellcodes. Support plugin format.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
Other capabilities of the backdoor include the ability to drop arbitrary files and leak file contents from compromised machines to attacker-controlled infrastructure.
This is not the first time FIN8 has been detected using Sardonic in connection with a ransomware attack. In January 2022, Lodestone and Trend Micro discovered FIN8’s use of White Rabbit ransomware. The ransomware itself is based on his Sardonic.
“Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, and regularly refine its tools and tactics to evade detection,” Symantec said.
“The group’s decision to expand from point-of-sale attacks to ransomware deployment demonstrates the dedication of threat actors to maximize profits from victim organizations.”
