A gang of financially motivated cybercriminals have been observed deploying BlackCat ransomware payloads to backnets using a revamped version of the Sardonic malware.

Tracked as END8 (aka Syssphinx), this threat actor has been actively operating since at least January 2016, targeting industries such as retail, restaurants, hotels, healthcare, and entertainment.

Since they were first spotted and labeled as a threat group by FireEye, FIN8 has been linked to numerous large-scale campaigns characterized by their sporadic nature. However, their attacks have affected many organizations, leaving the imprint of hundreds of victims in their wake.

The arsenal used by this threat actor is vast, encompassing a wide range of tools and tactics, including POS malware strains like BadHatch, PoSlurp/PunchTrackAnd PowerSniff/PunchBuggy/ShellTeaas well as exploiting Windows zero-day vulnerabilities And spear-phishing campaigns.

They also went from BadHatch to a C++ based backdoor known as Sardonicwhich, according to Bitdefender security researchers who discovered it in 2021, can collect information, execute commands and deploy additional malicious modules as DLL plugins.

Symantec’s Threat Hunter team observed a revamped version of this backdoor deployed during the December 2022 attacks, a variant that shares functionality with the version discovered by Bitdefender.

“However, most of the backdoor code has been rewritten, so it gains a new look. Interestingly, the backdoor code no longer uses the C++ Standard Library and most of the features object-oriented methods have been replaced by a simple C implementation.” Symantec said.

“Furthermore, some of the redesigns appear unnatural, suggesting that the threat actors’ primary goal may be to avoid similarities to previously leaked details. This goal seemed limited to the backdoor itself, for known Syssphinx techniques were still in use.”

Maximizing profits with ransomware

While the end goal of their attacks revolves around stealing payment card data from point-of-sale (POS) systems, FIN8 has shifted from point-of-sale attacks to ransomware attacks to maximize profits.

For example, according to Symantec, the gang was first seen in June 2021 deploying ransomware (Ragnar Locker payloads) on the compromised systems of a financial services company in the United States.

Six months later, in January 2022, the White Rabbit ransomware was also linked to FIN8 after researchers discovered links to the gang’s infrastructure while analyzing the ransomware’s deployment stage. Additionally, the Sardonic backdoor was also used when White Rabbit ransomware attackslinking them further to FIN8.

In a more recent development, Symantec also spotted FIN8 hackers deploying BlackCat (aka ALPHV) ransomware in the December 2022 attacks where the new Sardonic malware variant was used.

“Syssphinx continues to develop and improve its malware delivery capabilities and infrastructure, periodically refining its tools and tactics to evade detection,” Symantec said.

“The group’s decision to shift from point-of-sale attacks to deploying ransomware demonstrates threat actors’ commitment to maximizing profits for victimized organizations.”