Cybersecurity researchers have discovered that a notorious group of hackers, driven by financial gain, is using a new version of the Sardonic malware to infiltrate networks and distribute the BlackCAT ransomware, created by the Alphv cybercrime gang.
The group, known as Fin8 or Sysphinx, has been active since January 2016, specializing in attacks on industries such as retail, hospitality, healthcare, and entertainment.
Since its first detection by FireEye, Fin8 has been associated with numerous large-scale campaigns, characterized by their unpredictable nature. However, these attacks have had a significant impact on many organizations, leaving hundreds of victims in their wake.
The group’s arsenal is extensive and includes a range of tools and tactics, such as POS-terminal malware (Badhatch, Poslurp/Punchtrack, and PowerSniff/Punchbuggy/Shelltea), as well as the CHI campaign exploit.
In more recent attacks, the hackers have transitioned from using Badhatch to a C++-based backdoor known as Sardonic. Bitdefender, the cybersecurity firm that discovered the backdoor in 2021, found that it can collect information, execute commands, and deploy additional malicious modules.
The Symantec Hunters team recently detected an updated version of the Sardonic backdoor in attacks dating back to December 2022. The findings are detailed in today’s report. While this version shares many functions with the one discovered by Bitdefender, most of the backdoor’s code has been rewritten, giving it a new appearance.
“It is noteworthy that the backdoor code no longer utilizes the standard C++ library, and many object-oriented capabilities have been replaced with a simpler implementation in C,” said the Symantec researchers.
“Additionally, some of the code appears deliberately altered, suggesting that the attackers’ main goal may have been to avoid similarities with previously identified characteristics. However, this goal only pertained to the backdoor itself, as the familiar grouping methods are still being employed in these attacks,” the experts added.
While Fin8’s primary objective has been stealing data from POS systems, the group has expanded its activities to include the distribution of ransomware for increased profitability.
For example, Symantec reported that in June 2021, Fin8 was found distributing Ragnar Locker ransomware on compromised systems of financial companies in the United States.