Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Why did well-known cybercriminals change their activity vector, abandoning their former methods and tools?
Cybersecurity researchers have discovered that a well-known group of hackers motivated by financial gain is using a new version of Sardonic malware to break into networks and distribute BlackCat ransomware produced by the ALPHV cybercrime gang.
The FIN8 group, also known as Syssphinx, has been active since January 2016 and specializes in attacks on the retail, restaurant, hotel, healthcare and entertainment industries.
Since the first discovery of this group by FireEye, FIN8 has been associated with many large-scale campaigns characterized by their irregular nature. However, the FIN8 attacks significantly affected many organizations, leaving a trail of hundreds of victims.
The arsenal used by this group is very extensive and includes a wide range of tools and tactics, such as malware for POS terminals (BadHatch, PoSlurp/PunchTrack and PowerSniff/PunchBuggy/ShellTea), as well as exploiting Windows vulnerabilities and phishing campaigns.
Hackers later moved from BadHatch to a C++ - based backdoor known as Sardonic, which, according to security researchers at Bitdefender who discovered it back in 2021, can collect information , execute commands, and deploy additional malicious modules in the form of DLL plugins.
The Symantec threat hunter team noticed an updated version of this backdoor in attacks dating back to December 2022, as reported in today's report . This version has many features in common with the version discovered by Bitdefender, but most of the backdoor code has been rewritten in such a way that it has acquired a new look.
"Interestingly, the backdoor code no longer uses the C++ standard library, and most of the object-oriented features have been replaced with a simple C implementation," the Symantec researchers said.
"In addition, some processing looks unnatural, which indicates that the main purpose of the attackers could be to avoid similarity with previously disclosed details of the malware. Moreover, this goal concerned only the backdoor itself, since the known methods of grouping were still used in new attacks, " the experts added.
Although the ultimate goal of their attacks is to steal payment card data from POS systems, FIN8 has expanded its activities from attacks on POS terminals to attacks using ransomware to maximize profits. For example, according to Symantec, for the first time in June 2021, FIN8 was seen distributing the ransomware software Ragnar Locker on compromised systems of a financial company in the United States.
Six months later, in January 2022, the use of White Rabbit ransomware was also linked to FIN8 after researchers discovered a link to the group's infrastructure when analyzing the malware deployment phase. In addition, the Sardonic backdoor was also used during White Rabbit ransomware attacks, which further links them to FIN8.
In the latest attacks of the group, recorded in December last year, Symantec also discovered that FIN8 hackers distributed BlackCat ransomware, which used a new version of the Sardonic malware.
"Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically improving its tools and tactics to avoid detection," said Symantec specialists.
"The group's decision to expand from attacks on POS terminals to the distribution of ransomware demonstrates the dedication of attackers to maximizing profits from victim organizations," the researchers concluded.
Cybersecurity researchers have discovered that a well-known group of hackers motivated by financial gain is using a new version of Sardonic malware to break into networks and distribute BlackCat ransomware produced by the ALPHV cybercrime gang.
The FIN8 group, also known as Syssphinx, has been active since January 2016 and specializes in attacks on the retail, restaurant, hotel, healthcare and entertainment industries.
Since the first discovery of this group by FireEye, FIN8 has been associated with many large-scale campaigns characterized by their irregular nature. However, the FIN8 attacks significantly affected many organizations, leaving a trail of hundreds of victims.
The arsenal used by this group is very extensive and includes a wide range of tools and tactics, such as malware for POS terminals (BadHatch, PoSlurp/PunchTrack and PowerSniff/PunchBuggy/ShellTea), as well as exploiting Windows vulnerabilities and phishing campaigns.
Hackers later moved from BadHatch to a C++ - based backdoor known as Sardonic, which, according to security researchers at Bitdefender who discovered it back in 2021, can collect information , execute commands, and deploy additional malicious modules in the form of DLL plugins.
The Symantec threat hunter team noticed an updated version of this backdoor in attacks dating back to December 2022, as reported in today's report . This version has many features in common with the version discovered by Bitdefender, but most of the backdoor code has been rewritten in such a way that it has acquired a new look.
"Interestingly, the backdoor code no longer uses the C++ standard library, and most of the object-oriented features have been replaced with a simple C implementation," the Symantec researchers said.
"In addition, some processing looks unnatural, which indicates that the main purpose of the attackers could be to avoid similarity with previously disclosed details of the malware. Moreover, this goal concerned only the backdoor itself, since the known methods of grouping were still used in new attacks, " the experts added.
Although the ultimate goal of their attacks is to steal payment card data from POS systems, FIN8 has expanded its activities from attacks on POS terminals to attacks using ransomware to maximize profits. For example, according to Symantec, for the first time in June 2021, FIN8 was seen distributing the ransomware software Ragnar Locker on compromised systems of a financial company in the United States.
Six months later, in January 2022, the use of White Rabbit ransomware was also linked to FIN8 after researchers discovered a link to the group's infrastructure when analyzing the malware deployment phase. In addition, the Sardonic backdoor was also used during White Rabbit ransomware attacks, which further links them to FIN8.
In the latest attacks of the group, recorded in December last year, Symantec also discovered that FIN8 hackers distributed BlackCat ransomware, which used a new version of the Sardonic malware.
"Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically improving its tools and tactics to avoid detection," said Symantec specialists.
"The group's decision to expand from attacks on POS terminals to the distribution of ransomware demonstrates the dedication of attackers to maximizing profits from victim organizations," the researchers concluded.
