Rewterz Threat Alert – FIN8 Utilizes Sardonic Malware Variant to Execute ALPHV Ransomware Attack – Active IOCs

Severity

High

Analysis Summary

The financially motivated cybercrime group FIN8, also known as Syssphinx, has been identified using an updated version of the Sardonic backdoor to distribute the BlackCat ransomware, also known as Noberus ransomware. Sardonic is a sophisticated backdoor with various evasive features, currently still in development, and includes several components, some of which were compiled just before the attack.

Since 2016, the FIN8 group has been active and utilizes well-known malware like PUNCHTRACK and BADHATCH to infect Point of Sale (PoS) systems and steal payment card data. Researchers Team discovered that most of the backdoor’s features have been modified by the group.

In the past, FIN8 has been observed employing different ransomware threats, including Ragnar Locker ransomware in June 2021 and White Rabbit ransomware in January 2022. In December 2022, researchers observed the group attempting to deploy the ALPHV/BlackCat ransomware.

The recent Syssphinx attack observed by Symantec in December 2022 showed similarities to a previous Syssphinx attack reported by Bitdefender researchers in 2021. However, there were key differences, such as the final payload being the Noberus ransomware and the use of the updated Sardonic backdoor. This revamped version of Sardonic shares some features with the C++-based Sardonic backdoor analyzed by Bitdefender, but most of its code has been rewritten, giving it a new appearance.

Unlike the previous variant, the new version of the Sardonic backdoor is written in C instead of C++. In the attack analyzed by Symantec, the backdoor was indirectly embedded into a PowerShell script used to infect target machines. The PowerShell script decodes a .NET Loader binary and loads it into the current process. The loader then decrypts and executes the injector and the backdoor.

The injector’s purpose is to launch the backdoor in a newly created WmiPrvSE.exe process, with an attempt to start it in session-0 using a token stolen from the lsass.exe process. The backdoor supports interactive sessions, allowing the attacker to run cmd.exe or other interactive processes on the infected system, with up to 10 such sessions running simultaneously.

The backdoor is designed to extend its functionality through PE DLL plugins, shellcode, and shellcode with a different convention to pass arguments. It supports multiple commands, including dropping arbitrary attacker’s files, exfiltrating content of arbitrary files to the remote attacker, loading a DLL plugin supplied by the attacker, and executing shellcode provided by the attacker.

Syssphinx continually improves its capabilities and malware delivery infrastructure, regularly refining its tools and tactics to evade detection. The group’s transition from point-of-sale attacks to deploying ransomware demonstrates their commitment to maximizing profits from victim organizations. The tools and tactics used by Syssphinx underscore the group’s high level of skill, making them a serious threat to organizations.

“Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection. The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim organizations.”, the researchers conclude

These types of threats emphasizes the importance of vigilance and robust cybersecurity measures to protect against evolving cyber threats posed by sophisticated threat actors like FIN8. Organizations must remain proactive and adopt a multi-layered approach to safeguard their digital assets and data.

Impact

• File Encryption
• Financial Loss
• Sensitive Information Theft

Indicators of Compromise

Domain Name

• api-cdn.net
• git-api.com
• api-cdnw5.net

IP

37.10.71.215

MD5

• 10e75f522c3a52532d124e507d1d6561
• bd265f2d3e827e2ffa22417a6334d5fa
• 2dad0e66463869b2565449e4c9e84417
• 52aa13beb502a784626b674c76169c08
• 7285d3b9ad2fee1969a22408f7efc324
• 43af915af6a0d60cc5875f69c7fa058b

SHA-256

• 1d3e573d432ef094fba33f615aa0564feffa99853af77e10367f54dc6df95509
• 48e3add1881d60e0f6a036cfdb24426266f23f624a4cd57b8ea945e9ca98e6fd
• 4db89c39db14f4d9f76d06c50fef2d9282e83c03e8c948a863b58dedc43edd31
• e4e3a4f1c87ff79f99f42b5bbe9727481d43d68582799309785c95d1d0de789a
• 5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28
• 72fd2f51f36ba6c842fdc801464a49dce28bd851589c7401f64bbc4f1a468b1a

SHA-1

• e693689526ee28290ddd9cdd242a3c5f0383b8d
• ea50aa7c4d8b3097a2e7d8a4c575b08cfabbbdd8
• 12c3b36ee26b031e6c7b80b7e34b48489bfd108d
• e8d3e810d1752237b2121cde19719c282acecd75
• ef071f69df4a7ed21526804830d60a67c604228f
• a384c188376b2dc98e855609bb8392f66e3295ac

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Keep your software up to date. Software updates often include security patches that can help to protect your systems from known vulnerabilities.
• Use strong passwords and multi-factor authentication. This will make it more difficult for attackers to gain access to your systems.
• Back up your data regularly. This will help you to recover if your systems are encrypted by ransomware
• Deploy robust endpoint security solutions, including antivirus, anti-malware, and intrusion detection systems, to detect and prevent threats like Sardonic and BlackCat ransomware.