The evolution of FIN8: from hacking bank terminals to spreading ransomware
Why did well-known cybercriminals change their vector of activity, abandoning their old methods and tools?
Cybersecurity researchers have discovered that a well-known group of hackers motivated by financial gain are using a new version of the Sardonic malware to break into networks and distribute BlackCat ransomware, produced by the cybercriminal gang ALPHV.
The FIN8 group, also known as Syssphinx, has been active since January 2016 and specializes in attacks on the retail, restaurant, hospitality, healthcare, and entertainment industries.
Since first discovery this group by the company fire eye, FIN8 has been associated with many large-scale campaigns characterized by their irregular nature. However, the FIN8 attacks have significantly affected many organizations, leaving a trail of hundreds of victims.
The arsenal used by this group is quite extensive and includes a wide range of tools and tactics, such as malware to POS terminals (BadHatch, PoSlurp/PunchTrack and PowerSniff/PunchBuggy/ShellTea), as well as exploitation of vulnerabilities Windows and phishing campaigns.
The hackers later moved from BadHatch to a C++-based backdoor known as Sardonic, which, according to security researchers from Bitdefenderwho discovered it back in 2021 can collect information, execute commands, and deploy additional malicious modules in the form DLL-plugins.
Threat Hunter Team Symantec noticed an updated version of this backdoor in attacks dated December 2022, which she reported in today’s report . This version shares many features with the version discovered by Bitdefender, however much of the backdoor code has been rewritten to give it a new look.
“Interestingly, the backdoor code no longer uses the standard C++ library, and most of the object-oriented features have been replaced by a simple C implementation,” the Symantec researchers said.
“In addition, some of the reworks look unnatural, which indicates that the main goal of the attackers could be to avoid resemblance to previously disclosed details of the malware. Moreover, this goal concerned only the backdoor itself, since known grouping methods were still used in these attacks, ”the experts added.
Although the ultimate goal of their attacks is to steal payment card data from POS systems, FIN8 has expanded its activities from attacks on POS to attacks using ransomware to maximize profits.
For example, according to Symantec, FIN8 was first seen in June 2021 distributing ransomware Ragnar Locker on compromised systems of a US financial company.
Six months later, in January 2022, the use of the White Rabbit ransomware was also linked to FIN8 after researchers found a link to the group’s infrastructure while analyzing the malware’s deployment phase. In addition, the Sardonic backdoor was also used during White Rabbit ransomware attacks, further linking them to FIN8.
In the group’s latest attacks, recorded in December last year, Symantec also discovered that FIN8 hackers distributed BlackCat ransomware, which used a new version of the Sardonic malware.
“Syssphinx continues to evolve and improve its malware delivery capabilities and infrastructure, periodically improving its tools and tactics to avoid detection,” Symantec said.
“The group’s decision to expand from POS attacks to ransomware distribution demonstrates the attackers’ dedication to maximizing profits from victim organizations,” the researchers concluded.