Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
The financially motivated cybercrime group FIN8, also known as Syssphinx, has been identified using an updated version of the Sardonic backdoor to distribute the BlackCat ransomware, also known as Noberus ransomware. Sardonic is a sophisticated backdoor with various evasive features, currently still in development, and includes several components, some of which were compiled just before the attack.
Since 2016, the FIN8 group has been active and utilizes well-known malware like PUNCHTRACK and BADHATCH to infect Point of Sale (PoS) systems and steal payment card data. Researchers Team discovered that most of the backdoor’s features have been modified by the group.
In the past, FIN8 has been observed employing different ransomware threats, including Ragnar Locker ransomware in June 2021 and White Rabbit ransomware in January 2022. In December 2022, researchers observed the group attempting to deploy the ALPHV/BlackCat ransomware.
The recent Syssphinx attack observed by Symantec in December 2022 showed similarities to a previous Syssphinx attack reported by Bitdefender researchers in 2021. However, there were key differences, such as the final payload being the Noberus ransomware and the use of the updated Sardonic backdoor. This revamped version of Sardonic shares some features with the C++-based Sardonic backdoor analyzed by Bitdefender, but most of its code has been rewritten, giving it a new appearance.
Unlike the previous variant, the new version of the Sardonic backdoor is written in C instead of C++. In the attack analyzed by Symantec, the backdoor was indirectly embedded into a PowerShell script used to infect target machines. The PowerShell script decodes a .NET Loader binary and loads it into the current process. The loader then decrypts and executes the injector and the backdoor.
The injector’s purpose is to launch the backdoor in a newly created WmiPrvSE.exe process, with an attempt to start it in session-0 using a token stolen from the lsass.exe process. The backdoor supports interactive sessions, allowing the attacker to run cmd.exe or other interactive processes on the infected system, with up to 10 such sessions running simultaneously.
The backdoor is designed to extend its functionality through PE DLL plugins, shellcode, and shellcode with a different convention to pass arguments. It supports multiple commands, including dropping arbitrary attacker’s files, exfiltrating content of arbitrary files to the remote attacker, loading a DLL plugin supplied by the attacker, and executing shellcode provided by the attacker.
Syssphinx continually improves its capabilities and malware delivery infrastructure, regularly refining its tools and tactics to evade detection. The group’s transition from point-of-sale attacks to deploying ransomware demonstrates their commitment to maximizing profits from victim organizations. The tools and tactics used by Syssphinx underscore the group’s high level of skill, making them a serious threat to organizations.
“Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection. The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim organizations.”, the researchers conclude
These types of threats emphasizes the importance of vigilance and robust cybersecurity measures to protect against evolving cyber threats posed by sophisticated threat actors like FIN8. Organizations must remain proactive and adopt a multi-layered approach to safeguard their digital assets and data.
37.10.71.215