• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
fin8 group using modified sardonic backdoor for blackcat ransomware attacks

FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks

You are here: Home / General Cyber Security News / FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks
July 18, 2023

The financially enthusiastic threat actor acknowledged as FIN8 has been observed making use of a “revamped” model of a backdoor named Sardonic to deliver the BlackCat ransomware.

According to the Symantec Danger Hunter Crew, component of Broadcom, the progress is an endeavor on the portion of the e-crime group to diversify its emphasis and optimize revenue from contaminated entities. The intrusion endeavor took position in December 2022.

FIN8 is currently being tracked by the cybersecurity firm underneath the name Syssphinx. Known to be lively since at least 2016, the adversary was initially attributed to attacks concentrating on place-of-sale (PoS) units applying malware this kind of as PUNCHTRACK and BADHATCH.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The group resurfaced just after additional than a year in March 2021 with an up to date variation of BADHATCH, adhering to it up with a absolutely new implant named Sardonic, which was disclosed by Bitdefender in August 2021.

“The C++-based Sardonic backdoor has the skill to harvest method facts and execute commands, and has a plugin system designed to load and execute added malware payloads delivered as DLLs,” Symantec stated in a report shared with The Hacker Information.

Compared with the earlier variant, which was designed in C++, the most current iteration packs in substantial alterations, with most of the source code rewritten in C and modified so as to deliberately stay away from similarities.

In the incident analyzed by Symantec, Sardonic is embedded into a PowerShell script that was deployed into the targeted process after acquiring original access. The script is created to start a .NET loader, which then decrypts and executes an injector module to ultimately run the implant.

“The reason of the injector is to begin the backdoor in a recently designed WmiPrvSE.exe procedure,” Symantec stated. “When building the WmiPrvSE.exe course of action, the injector attempts to start out it in session- (very best exertion) employing a token stolen from the lsass.exe method.”

Sardonic, besides supporting up to 10 interactive classes on the contaminated host for the threat actor to operate destructive instructions, supports 3 diverse plugin formats to execute added DLL and shellcode.

Upcoming WEBINARShield Versus Insider Threats: Grasp SaaS Security Posture Administration

Nervous about insider threats? We have obtained you included! Join this webinar to investigate sensible tactics and the tricks of proactive security with SaaS Security Posture Management.

Join Nowadays

Some of the other capabilities of the backdoor include the capability to drop arbitrary documents and exfiltrate file contents from the compromised device to an actor-controlled infrastructure.

This is not the first time FIN8 has been detected utilizing Sardonic in link with a ransomware attack. In January 2022, Lodestone and Craze Micro uncovered FIN8’s use of the White Rabbit ransomware, which, in by itself, is primarily based on Sardonic.

“Syssphinx proceeds to produce and make improvements to its capabilities and malware supply infrastructure, periodically refining its resources and techniques to avoid detection,” Symantec reported.

“The group’s determination to increase from point-of-sale attacks to the deployment of ransomware demonstrates the menace actors’ devotion to maximizing earnings from target organizations.”

Discovered this post interesting? Follow us on Twitter  and LinkedIn to study extra unique articles we write-up.


Some components of this posting are sourced from:
thehackernews.com

Previous Post: «owner of breachforums pleads guilty to cybercrime and child pornography Owner of BreachForums Pleads Guilty to Cybercrime and Child Pornography Charges
Next Post: Go Beyond the Headlines for Deeper Dives into the Cybercriminal Underground go beyond the headlines for deeper dives into the cybercriminal»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors
  • Top 10 Best Practices for Effective Data Protection
  • Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks
  • Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
  • [Webinar] From Code to Cloud to SOC: Learn a Smarter Way to Defend Modern Applications
  • Meta to Train AI on E.U. User Data From May 27 Without Consent; Noyb Threatens Lawsuit
  • Coinbase Agents Bribed, Data of ~1% Users Leaked; $20M Extortion Attempt Fails
  • Pen Testing for Compliance Only? It’s Time to Change Your Approach
  • 5 BCDR Essentials for Effective Ransomware Defense
  • Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers

Copyright © TheCyberSecurity.News, All Rights Reserved.