FIN8 Modifies 'Sardonic' Backdoor to Deliver BlackCat Ransomware

The threat actor FIN8 has resurged after a lull, using a revised version of its Sardonic backdoor to deliver the BlackCat ransomware. It's an evolution of its malware arsenal that fits the group's pattern of constant reinvention.

FIN8, which Symantec tracks as "Syssphinx," is a well-known, financially-motivated cybercrime group, which in the past has indiscriminately targeted organizations across the chemicals, entertainment, finance, hospitality, insurance, retail, and technology industries.

Generally, it uses spear-phishing and social engineering to hook into targets, and living-off-the-land tactics to mask its malicious activities.

In the latest campaign, Symantec researchers observed FIN8 deploying a new iteration of its old Sardonic backdoor, first reported back in 2021 by Bitdefender. The new Sardonic is bigger and different, though not necessarily improved across the board.

"Some of the reworking looks unnatural, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details," the researchers wrote in a report published July 18.

Inside the Revamped Sardonic Backdoor Malware

Hackers might choose to rewrite their malware after it's been outed, as Sardonic was in 2021, to skirt by the cybersecurity defenses that are attuned to it.

To that end, the new Sardonic backdoor is quite similar to the first, the researchers noted, "however, most of the backdoor's code has been rewritten, such that it gains a new appearance."

But it's not merely change for change's sake. For example, the new version supports more plugin formats, expanding the attackers' flexibility and capabilities.

"Some of the changes do introduce new features or improvements," John-Paul Power, intelligence analyst at the Symantec Threat Hunter Team, tells Dark Reading — such as adding more obfuscation.

"The revamped backdoor obfuscates some features that were easy to see in original C++-based Sardonic," he explains. For example, earlier version contains multiple strings in plaintext that are obfuscated now.

"[Earlier] analysis also took advantage of certain metadata in the original samples to assist with their analysis, and these features were removed in the samples analyzed by us," he adds.

Some of the updates almost seem like a direct response to the early research from Bitdefender about the first version.

"A few features criticized by Bitdefender were removed," Power says. "For example, Bitdefender pointed out flaws in RSA usage. The sample analyzed by Symantec completely removes the public key scheme from the encryption."

In another example, Bitdefender pointed out issues with JSON encoding used by the command to gather information about an infected system. "That command is removed together with the problematic JSON implementation," says Power.

Not all of the changes have been for the better, though. "For example," Symantec researchers wrote in their blog this week, "when sending messages over the network, the operation code specifying how to interpret the message has been moved after the variable part of the message, a change that adds some complications to the backdoor logic."

FIN8: A Study in Constantly Evolving Malware

FIN8 has been around since at least 2016, when it burst onto the scene by compromising point-of-sale (PoS) systems at more than 100 organizations. In years since, the group has dipped in and out of the spotlight, tweaking their tools each time around.

For example, around the turn of the decade, it transitioned from harvesting credit-card data from PoS systems to deploying ransomware, like Ragnar Locker, developed by the cybercriminal gang Viking Spider.

"The Syssphinx group's move to ransomware suggests the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations," the researchers wrote on July 18. Lately, the group has been using BlackCat ransomware, from the group of the same name (aka ALPHV).

FIN8 has seemingly spent even more time over the years working on its backdoors. Its first, "Badhatch," was first observed in 2019, and the group iterated on it in each of the two years that followed. Sardonic followed in August 2021.

The C++-based malware came fitted with command execution and credential harvesting capabilities, plus a plugin system for downloading additional malware payloads as dynamic link libraries (DLLs).

To harden against FIN8's frequently changing malware, Power recommends a standard defense-in-depth strategy involving layered detection and protection tools, multifactor authentication (MFA), and access controls.

"Organizations could also introduce one-time credentials for administrative work to help prevent theft and misuse of admin credentials, and create profiles of usage for admin tools. Many of these tools are used by attackers to move laterally undetected through a network," Power says.