The FIN8 financially motivated threat actor has recently reworked its known backdoor, Sardonic, in order to avoid detection, researchers warn.
FIN8, also known as Syssphinx, has been around since 2016 and has targeted companies across the hospitality, retail, entertainment, insurance, technology and finance industries in the U.S., Canada, South Africa, Italy and other areas. Its Sardonic backdoor, which is an updated version of the group’s previous Badhatch backdoor, has a broad array of capabilities, including the ability to harvest system data, execute commands and execute additional payloads, Bitdefender researchers said in an analysis in 2021 after the group used the backdoor to target a U.S.-based bank. Now, researchers with the Symantec Threat Hunter Team, part of Broadcom, are saying they found a revamped version of the Sardonic backdoor being used in December 2022 attacks that aimed to deploy the Noberus ransomware (also known as BlackCat).
“The revamped Sardonic backdoor analyzed in this blog shares a number of features with the C++-based Sardonic backdoor analyzed by Bitdefender,” according to researchers on Tuesday. “However, most of the backdoor’s code has been rewritten, such that it gains a new appearance. Interestingly, the backdoor code no longer uses the C++ standard library and most of the object-oriented features have been replaced with a plain C implementation.”
Researchers observed the revamped backdoor being embedded into a PowerShell script used to infect target machines, which is different from previous versions of Sardonic that leveraged intermediate downloader shellcode to execute the backdoor. Sardonic has been described as being a flexible backdoor with wide-ranging capabilities. Researchers said the backdoor supports three different formats to extend its functionality (including with PE DLL plugins loaded within the backdoor’s process, through the form of shellcode and via instructions for the backdoor to pass control to provided shellcode). Once downloaded, the backdoor receives a number of commands, including ones for dropping arbitrary new files, exfiltrating content of files, loading and unloading DLL plugins and executing shellcode.
Researchers noted that some of the backdoor’s reworking looks “unnatural, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details.”
“For example, when sending messages over the network, the operation code specifying how to interpret the message has been moved after the variable part of the message, a change that adds some complications to the backdoor logic,” they said.
Another difference of note here is that the final payload in this campaign is the Noberus ransomware, which continues FIN8’s previous shift from earlier point-of-sale attacks. The group in recent years has been observed deploying ransomware like Ragnar Locker (in 2021) and White Rabbit (in 2022).
“The Syssphinx group’s move to ransomware suggests the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations,” said researchers.
The updated backdoor represents continued measures by the threat group to avoid detection by security teams. FIN8 has also used various other tactics in the past, including living-off-the-land techniques that leverage built-in tools like PowerShell, and abusing legitimate services, in order to disguise its malicious activity.
“Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection,” said researchers. “The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim organizations. The tools and tactics detailed in this report serve to underscore how this highly skilled financial threat actor remains a serious threat to organizations.”
To protect themselves against these types of attacks, organizations should leverage multiple detection, protection, and hardening technologies to mitigate risk at each point of the potential attack chain, said John-Paul Power, intelligence analyst with the Symantec Threat Hunter Team, part of Broadcom.
“In addition to this, organizations should monitor the use of dual-use tools inside their network, and ensure they have the latest version of PowerShell and have logging enabled,” he said. “We’d also advise implementing proper audit and control of administrative account usage.”