Financially motivated threat actor FIN8 has revamped its malware arsenal to deliver another infamous ransomware to victims’ systems. According to the Symantec Threat Hunter Team, in December 2022, the attackers were observed delivering the BlackCat ransomware via a new version of their Sardonic backdoor.
Dissecting Sardonic variant
Researchers note that the FIN8 members continue to develop and improve their capabilities as well as malware delivery infrastructure.
This Sardonic backdoor variant leverages a PowerShell script to infect systems, unlike the previous versions that used intermediate downloader shellcode to execute the backdoor.
Moreover, the backdoor code no longer supports the C++ standard library and most of the features are replaced with a plain C implementation. Furthermore, it includes various tactics to avoid detection.
It uses three different formats to extend its functionalities such as the PE DLL plugins, shellcode, and another shellcode, however, with a different convention to pass the arguments.
Once executed, the backdoor receives a number of commands, including the ones to drop arbitrary new files, exfiltrate content of files, upload and download DLL plugins, and execute shellcode.
With an updated backdoor leveraging the PowerShell code to bypass security and deploy ransomware, threat actors are apparently wanting to maximize profits from victim organizations. However, it’s not their first time.
Other FIN8’s ransomware
While FIN8 is specialized in POS attacks, in the past few years, the group has been observed launching a number of ransomware attacks.
In January 2022, a malicious link to deploy White Rabbit ransomware attacks was linked to the FIN8 group.
In June 2021, FIN8 deployed the Ragnar Locker ransomware to compromise a financial services company in the US.
Conclusion
Security experts advise organizations to leverage multiple detection, protection, and hardening technologies to mitigate such threats. In addition to this, they are recommended to monitor the networks and the latest versions of PowerShell logged into systems.