According to the Symantec Threat Hunter team, part of Broadcom, this development is an attempt by the e-crime group to diversify its focus and maximize profits from infected entities. The infiltration attempt took place in December 2022.
FIN8 is being tracked by a cyber security company called Syssphinx. Known to have been active since at least 2016, the rival was originally attributed with attacks targeting point-of-sale (PoS) systems using malware such as PUNCHTRACK and BADHATCH.
The group resurfaced after more than a year in March 2021 with an updated version of the BADHATCH, followed by an entirely new bespoke implant called the Sardonic, which was revealed by Bitdefender in August 2021.
In a report shared with The Hacker News, Symantec said, “The C++-based Sardonic backdoor has the ability to collect system information and execute commands, and it has the ability to load and execute additional malware payloads distributed as DLLs.” is a plugin system designed to do.”
Unlike the previous version, which was designed in C++, the latest iteration has significant changes, with most of the source code being rewritten in C and modified to intentionally avoid commonalities.
In the incident analyzed by Symantec, Sardonic embedded a PowerShell script that was deployed on target systems after gaining initial access. The script is designed to launch the .NET loader, which decrypts and executes an injector module to eventually run the implant.
“The purpose of the injector is to incorporate a backdoor into the newly spawned WmiPrvSE.exe process,” Symantec explained. “When creating the WmiPrvSE.exe process, the injector tries to start it in session-0 (best effort) using a token stolen from the lsass.exe process.”
Sardonic, in addition to supporting up to 10 interactive sessions on the infected host to run malicious commands, supports three different plugin formats for executing additional DLLs and shellcode.
Some of the backdoor’s other features include the ability to drop arbitrary files and eject file contents from the compromised machine into actor-controlled infrastructure.
This is not the first time FIN8 has been detected using Sardonic in connection with a ransomware attack. In January 2022, Lodestone and Trend Micro disclosed the use of White Rabbit ransomware by FIN8, itself based on Sardonic.
“Sysphinx continues to develop and improve its capabilities and malware delivery infrastructure, refining its tools and strategies to avoid detection over time,” Symantec said.
“The group’s decision to expand from point-of-sale attacks to ransomware deployments reflects the threat actors’ dedication to maximizing profits from victim organizations.”