In the ever-evolving landscape of cyber threats, the financially motivated cybercrime group known as FIN8 continues to make waves. Known for their sporadic yet impactful attacks, FIN8 has been active since at least 2016, targeting a wide range of industries including retail, restaurants, hospitality, healthcare, and entertainment. This article delves into the group’s recent activities, their shift from point-of-sale attacks to ransomware deployments, and the introduction of a new backdoor in their arsenal – the Sardonic malware. We also explore the group’s tactics, techniques, and procedures (TTPs) as per the MITRE ATT&CK framework, providing a comprehensive profile of this persistent threat actor.
The financially motivated cybercrime group known as FIN8, also known as Syssphinx, has been observed deploying BlackCat (also known as ALPHV) ransomware payloads on networks that have been backdoored using a new version of the Sardonic malware.
FIN8 has been active since at least January 2016 and targets industries such as retail, restaurants, hospitality, healthcare, and entertainment. The group’s attacks are characterized by their sporadic nature, but they have impacted numerous organizations, leaving hundreds of victims in their wake.
The group uses a wide range of tools and tactics, including POS malware strains like BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea, as well as the exploitation of Windows zero-day vulnerabilities and spear-phishing campaigns. They’ve also switched from BadHatch to a C++-based backdoor known as Sardonic, which can collect information, execute commands, and deploy additional malicious modules as DLL plugins.
A revamped version of the Sardonic backdoor was observed in December 2022 attacks. This variant shares functionality with the version discovered by Bitdefender, but most of the backdoor’s code has been rewritten, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details.
While the end goal of their attacks revolves around stealing payment card data from Point-of-Sale (POS) systems, FIN8 has expanded from point-of-sale to ransomware attacks to maximize profits. For instance, the gang was seen in June 2021 deploying ransomware (Ragnar Locker payloads) on the compromised systems of a financial services company in the United States. In January 2022, White Rabbit ransomware was also linked to FIN8. In a more recent development, hackers deploying BlackCat (aka ALPHV) ransomware in the December 2022 attacks where the new Sardonic malware variant was used.
The IOCs provided in an FBI Flash report include:
- PowerShell Scripts: amd – Copy.ps1, ipscan.ps1, Run1.ps1, and others.
- Batch Scripts: CheckVuln.bat, Create-share-RunAsAdmin.bat, LPE-Exploit-RunAsUser.bat, RCE-Exploit-RunAsUser.bat, est.bat, runav.bat.
- Executables and DLLs: http_x64.exe, spider.dll, spider_32.dll, powershell.dll, rpcdump.exe, mimikatz.exe, run.exe, zakrep_plink.exe, beacon.exe, win1999.exe, and others.
- BlackCat Ransomware SHA256 Hashes: 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161, f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb, 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161, 80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28.
- 89.44.9[.]243
- 142.234.157[.]246
- 45.134.20[.]66
- 185.220.102[.]253
- 37.120.238[.]58
- 152.89.247[.]207
- 198.144.121[.]93
- 89.163.252[.]230
- 45.153.160[.]140
- 23.106.223[.]97
- 139.60.161[.]161
- 146.0.77[.]15
- 94.232.41[.]155
In terms of MITRE ATT&CK TTPs, FIN8’s tactics include:
- Initial Access: Spearphishing (T1566)
- Execution: Command and Scripting Interpreter (T1059)
- Persistence: Create or Modify System Process (T1543)
- Privilege Escalation: Exploitation of Remote Services (T1210)
- Defense Evasion: Deobfuscate/Decode Files or Information (T1140)
- Credential Access: Input Capture (T1056)
- Discovery: System Network Configuration Discovery (T1016)
- Lateral Movement: Remote Services (T1021)
- Collection: Data from Local System (T1005)
- Command and Control: Commonly Used Port (T1043)
- Exfiltration: Data Compressed (T1002)
- Impact: Data Encrypted for Impact (T1486)
Further Reading:
- CISA Alert: FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware
- FBI Flash Report: Indicators of Compromise Associated with BlackCat/ALPHV Ransomware
- MITRE ATT&CK: FIN8
- Symantec: New Sardonic Backdoor Used by FIN8 in Recent Attacks
- Bitdefender: FIN8 Is Back in Business, Targeting the Hospitality Industry