FIN8 cybercrime group using updated backdoor amid shift to ransomware

The FIN8 cybercrime group is using an updated backdoor in its cyberattacks, which increasingly involve ransomware.

Symantec’s Threat Hunter Team said it observed the group deploying a variant of the Sardonic backdoor before delivering ransomware known as Black Cat or AlphV.

The Sardonic backdoor was examined by researchers at Bitdefender two years ago and experts said it was powerful due to its “wide range of capabilities that help the threat actor leverage new malware on the fly without updating components.”

Symantec said in the version it saw recently, “most of the backdoor’s features have been altered to give it a new appearance.”

“In addition, some of the reworking looks unnatural, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details,” the researchers said.

“For example, when sending messages over the network, the operation code specifying how to interpret the message has been moved after the variable part of the message, a change that adds some complications to the backdoor logic. It seems that this goal was limited to just the backdoor itself, as known [FIN8] techniques were still used.”

The tactics used by the group resembled those previously reported by Bitdefender, but the main difference was the use of the ransomware and the reworked backdoor.

The backdoor has the ability to “harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads.”

Known for evolving

Both Symantec and Bitdefender noted that FIN8 is known for taking lengthy breaks between attack campaigns to evolve its tactics and techniques. The group started around January 2016, researchers have said, and it was originally known for targeting point-of-sale terminals at organizations in the hospitality, retail, entertainment, insurance, technology, chemicals and finance sectors.

The group typically uses social engineering and spearphishing as its preferred methods for initial compromise before “abusing legitimate services to disguise its activity,” Symantec said.

Since starting out, the group has repeatedly updated its backdoor malware, creating new versions in 2019 and 2020 before landing on the Sardonic backdoor in 2021.

Symantec noted that since 2021, FIN8 has shifted to deploying ransomware, initially using the Ragnar Locker ransomware in attacks on financial services companies in the U.S.

By January 2022, researchers found links between FIN8 and the White Rabbit ransomware and Symantec said it saw the group deploying AlphV in attacks in December.

“[FIN8]’s move to ransomware suggests the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations,” the researchers said.

“[FIN8] continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection. The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim organizations.”

FIN8 was first identified by Mandiant, which noted that the group was behind attacks at hundreds of organizations in North America.