Syssphinx (aka FIN8), a financially motivated cybercrime group, is actively deploying a variant of the Sardonic backdoor to deliver the Noberus (BlackCat) ransomware.
In their recent investigation, Symantec’s Threat Hunter Team found the current threat deployment by the said group. Upon analysing the backdoor, researchers found that it belonged to the Sardonic framework, which had been previously associated with Syssphinx and examined in a 2021 report by Bitdefender. However, it became evident that the group had meticulously modified most of the backdoor’s features, presenting it with a new appearance.
The group has been active since at least January 2016, focusing primarily on financially motivated cybercrime and targeting many institutions, including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
According to Symantec, the group is notorious for employing “living-off-the-land” tactics, utilising several built-in tools like PowerShell and WMI and legitimate services. Among its preferred methods for initiating attacks are social engineering and spear-phishing techniques.
Though the group initially focused on point-of-sale (POS) attacks, researchers have found that it has expanded its repertoire to include ransomware threats, including the Ragnar Locker and White Rabbit ransomware.
The group’s most recent arsenal includes the Noberus (also known as ALPHV or BlackCat) ransomware. Noberus is operated by another cybercrime group, Coreid (Blackmatter, Carbon Spider, FIN7).
Use of backdoors
Backdoors have been a crucial aspect of Syssphinx’s attack campaigns. The group takes extended breaks between attacks to refine its tactics, techniques, and procedures (TTPs).
Previously, Syssphinx utilised a backdoor malware called Badhatch, which underwent updates in December 2020 and January 2021. Later, in August 2021, Bitdefender researchers revealed details of a new backdoor called Sardonic, linked to the same group. This C++-based Sardonic backdoor can harvest system information, execute commands, and utilise a plugin system to load and execute additional malware payloads delivered as DLLs.
The revamped Sardonic backdoor analysed by researchers shared several features with the C++-based version analysed by Bitdefender. However, the majority of its code underwent rewriting, resulting in a new appearance. Interestingly, the reworked backdoor abandoned the use of the C++ standard library, replacing most of its object-oriented features with a plain C implementation.
“Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection,” Symantec explained.
BlackCat ransomware was used by cybercriminals to target Solar Industries India back in January 2023. In April 2022, the FBI reported that more than 60 organisations were affected by the BlackCat ransomware.