The financially motivated cybercrime group FIN8 (Syssphinx) is actively deploying a revamped version of the Sardonic backdoor.
The financially motivated cybercrime group FIN8 (Syssphinx) is actively deploying a revamped version of the Sardonic backdoor.
Symantec's Threat Hunter Team found that it belonged to the Sardonic framework, which was examined by researchers at Bitdefender two years ago. The group's most recent arsenal includes the Noberus ransomware (ALPHV or BlackCat). The threat actor has been actively operating since at least January 2016.
The group had rewritten most of the backdoor code to gain a new appearance. The primary goal of the threat actors could be to avoid similarities with previously disclosed details.
The group initially focused on point-of-sale (POS) attacks to steal credit card details. Still, it has evolved in the past few years to deploy other groups' ransomware threats, including the Ragnar Locker and White Rabbit ransomware. FIN8's deployment of ransomware suggests the threat actors' focus on maximizing profits from compromised organizations, said researchers.
Syssphinx targets hospitality, institutions, retail, entertainment, insurance, technology, chemicals and finance organizations.
Previously, Syssphinx utilized a backdoor malware called Badhatch, which underwent updates in December 2020 and January 2021. Later, in August 2021, Bitdefender researchers revealed details of a new backdoor called Sardonic, linked to the same group. The group takes lengthy breaks between attacks to refine its tactics, techniques, and procedures.
The C++-based Sardonic backdoor can harvest system information, execute commands, and has a plugin system to load and execute additional malware payloads delivered as DLLs. The revamped Sardonic backdoor shared several features with the C++-based version analyzed by Bitdefender. However, the reworked backdoor's code has been written in C and modified to avoid similarities deliberately.
"Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection," Symantec said. Some of the other features of the backdoor include the ability to drop arbitrary files and exfiltrate file contents from the compromised machine to an actor-controlled infrastructure.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?