FIN8 Incorporates Sardonic Backdoor to deploy Ransomware

Researchers have spotted that the FIN8 hacking group has been observed deploying a revamped version of the Sardonic backdoor malware and focussed on ransomware attacks.

Active since 2016, has a reputation for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemicals, and finance sectors.

FIN8 was first observed using ransomware in its attacks in June 2021. In January 2022, the White Rabbit ransomware family was linked to the group, and in December 2022 Symantec observed FIN8 deploying BlackCat ransomware.

Researchers tracked FIN8 with the name Syssphinx in the recent report, was observed deploying a new variant of the Sardonic backdoor malware to deliver BlackCat ransomware. Social engineering and spear-phishing are two of the group’s preferred methods for initial compromise. The group is known for utilizing so-called living-off-the-land tactics, making use of built-in tools and interfaces such as PowerShell and WMI, and abusing legitimate services to disguise its activity.

FIN8 – believed to be based in Eastern Europe’s Commonwealth of Independent States region – is known for taking extended breaks between attack campaigns, using the time to improve its tactics, techniques, and procedures.

The Sardonic backdoor, written in C++, is capable of harvesting system information and executing commands, and has a plugin system designed to load and execute additional malware payloads that are delivered as dynamic link libraries (DLLs).

The revamped version of Sardonic used by FIN8 in the December 2022 attack shares several features with the earlier version discovered by Bitdefender, although most of the code had been rewritten, possibly for obfuscation purposes. Some of the reworkings look unnatural, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details.

Few changes made in the new version of Sardonic: when messages were sent over the network, the operation code specifying how to interpret them had been moved to after the variable part of the message, a change that adds some complications to the backdoor logic.

The landscape FIN8 had gone to as it changed and refined its TTPs underscore how this highly skilled financial threat actor remains a serious threat to organizations.

This research was documented by researchers from Symantec

Indicators Of Compromise

• 1d3e573d432ef094fba33f615aa0564feffa99853af77e10367f54dc6df95509
• 307c3e23a4ba65749e49932c03d5d3eb58d133bc6623c436756e48de68b9cc45
• 48e3add1881d60e0f6a036cfdb24426266f23f624a4cd57b8ea945e9ca98e6fd
• 4db89c39db14f4d9f76d06c50fef2d9282e83c03e8c948a863b58dedc43edd31
• 356adc348e9a28fc760e75029839da5d374d11db5e41a74147a263290ae77501
• e7175ae2e0f0279fe3c4d5fc33e77b2bea51e0a7ad29f458b609afca0ab62b0b
• e4e3a4f1c87ff79f99f42b5bbe9727481d43d68582799309785c95d1d0de789a
• 2cd2e79e18849b882ba40a1f3f432a24e3c146bb52137c7543806f22c617d62c
• 78109d8e0fbe32ae7ec7c8d1c16e21bec0a0da3d58d98b6b266fbc53bb5bc00e
• ede6ca7c3c3aedeb70e8504e1df70988263aab60ac664d03995bce645dff0935
• 5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28
• 4e73e9a546e334f0aee8da7d191c56d25e6360ba7a79dc02fe93efbd41ff7aa4
• 05236172591d843b15987de2243ff1bfb41c7b959d7c917949a7533ed60aafd9
• edfd3ae4def3ddffb37bad3424eb73c17e156ba5f63fd1d651df2f5b8e34a6c7
• 827448cf3c7ddc67dca6618f4c8b1197ee2abe3526e27052d09948da2bc500ea
• 0e11a050369010683a7ed6a51f5ec320cd885128804713bb9df0e056e29dc3b0
• 0980aa80e52cc18e7b3909a0173a9efb60f9d406993d26fe3af35870ef1604d0
• 64f8ac7b3b28d763f0a8f6cdb4ce1e5e3892b0338c9240f27057dd9e087e3111
• 2d39a58887026b99176eb16c1bba4f6971c985ac9acbd9e2747dd0620548aaf3
• 8cfb05cde6af3cf4e0cb025faa597c2641a4ab372268823a29baef37c6c45946
• 72fd2f51f36ba6c842fdc801464a49dce28bd851589c7401f64bbc4f1a468b1a
• 6cba6d8a1a73572a1a49372c9b7adfa471a3a1302dc71c4547685bcbb1eda432

Network indicators:

• 37.10.71[.]215 – C&C server
• api-cdn[.]net
• git-api[.]com
• api-cdnw5[.]net
• 104-168-237-21.sslip[.]io