The FIN8 cybercrime group is adapting its tactics, utilizing an updated backdoor in their cyberattacks, and increasingly focusing on ransomware operations. Symantec’s Threat Hunter Team detected the group deploying a variant of the powerful Sardonic backdoor, now delivering ransomware known as Black Cat or AlphV. The backdoor’s recent version shows alterations to avoid similarities with previous disclosures, indicating the threat actors’ efforts to evade detection while retaining their known techniques.
FIN8 is recognized for its adaptive approach, taking extended breaks between attack campaigns to refine its tactics and techniques.
Originating around January 2016, the group initially targeted point-of-sale terminals in various sectors such as hospitality, retail, entertainment, insurance, technology, chemicals, and finance. Employing social engineering and spear-phishing, FIN8 manipulates legitimate services to conceal its activities during the initial compromise.
Over time, the group has updated its backdoor malware, with the latest version being the Sardonic backdoor deployed in 2021. Since then, FIN8 shifted towards ransomware, using the Ragnar Locker ransomware in attacks against financial services companies in the U.S. Subsequently, researchers established connections between FIN8 and the White Rabbit ransomware, while observing the group deploying AlphV in December.
This transition to ransomware suggests that the threat actors are diversifying their focus to maximize profits from compromised organizations, highlighting their dedication to continually refine their capabilities and evade detection.
