HQ/EMEAFind out how we can help your business
FIN8, a financially motivated threat group, has reworked its malware capabilities to spread the notorious BlackCat ransomware to its victims’ systems. Based on reports, the malicious threat group leveraged a new version of their Sardonic backdoor last December to deliver the ransomware.
Researchers noted that the members of the earlier-mentioned infamous group have continued to upgrade and develop the attack capabilities and their malware delivery system.
The new backdoor variant of the FIN8 group could leverage a script not included in its previous versions.
According to investigations, the FIN8 group uses the new variant of the Sardonic backdoor that could leverage a PowerShell script to compromise a system. Researchers noted that the previous versions could only use intermediate downloader shell code to run the backdoor.
However, the new backdoor code could no longer support the C++ standard library, and most of its features now have a plain C implementation. In addition, the new backdoor includes various abilities to bypass security software solutions.
Threat analysts also observed that the new variant could use three formats to extend its functionalities, like the PE DLL plugins and shellcode, but with a different convention to route the arguments.
Next, the backdoor receives several commands, such as exfiltrating file contents, downloading DLL plugins, executing shellcode, and dropping arbitrary new files after successful execution.
Experts expect that the threat actors would want to maximise their profits from targeted organisations since they have an updated backdoor that could leverage PowerShell code that bypasses security protocols to deploy ransomware.
The group has launched numerous ransomware attacks in the past few years, even though they specialise in POS campaigns. Last year, they used a malicious link to launch the White Rabbit ransomware.
They also deployed the Ragnar Locker ransomware to infect a financial services firm in the United States a few years ago.
Cybersecurity experts recommend that organisations employ multiple detection, protection, and hardening technologies to prevent or reduce such threats. Furthermore, admins should monitor the networks, and the latest versions of the PowerShell logged into their systems to avoid infection.
