Related Families: ALPHV
Executive Summary
Fin8 was observed leveraging Sardonic backdoor to deliver ALPHV ransomware.
Key Takeaways
- Fin8 was observed leveraging Sardonic backdoor to deliver ALPHV ransomware.
- The samples analyzed by Symantec appeared to be a rewritten variant of Sardonic written in C instead of C++.
- Sardonic backdoor allows the threat actor to run up to 10 sessions leveraging cmd.exe or other interactive processes.
What is Sardonic?
Symantec recently reported on Fin8 activity leveraging Sardonic backdoor to deliver ALPHV ransomware. Sardonic is a C++ based backdoor that has been in the wild since at least 2021. Sardonic can collect information, execute commands, and deploy malicious DLL plugin modules. The samples analyzed by Symantec appeared to be a rewritten variant of Sardonic written in C instead of C++.
The backdoor was embedded indirectly into a PowerShell script that infected victim machines. The PowerShell script code deletes the script file, checks the architecture, and chooses a 32-bit or 64-bit version of an encoded .NET loader, as appropriate.
The .NET loader is decoded and loaded into the current process. The code then triggers the main functionality of the .NET loader. The .NET loader itself is an obfuscated .NET DLL containing two blobs, the injector, and the backdoor. The injector is in the form of shellcode and is used to start the backdoor in a newly created WmiPrvSE.exe process. The backdoor is also shellcode.Sardonic backdoor allows the threat actor to run up to 10 sessions leveraging cmd.exe or other interactive processes. It also uses multiple formats to extend its functionality. These include PE DLL plugins, shellcode plugins, and shellcode that passes arguments using another convention.
Who is Fin8?
Fin8, also known as Syssphinx, is a financially motivated threat actor group. The group has been active since at least 2016. Fin8 targets have included entities in the hospitality, retail, entertainment, insurance, technology, chemical, and financial verticals. Fin8 TTPs include but are not limited to ransomware, extortion, living off the land techniques, social engineering, and spearphishing.
IOCs
PolySwarm has multiple samples associated with this activity.
5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28
72fd2f51f36ba6c842fdc801464a49dce28bd851589c7401f64bbc4f1a468b1a
6cba6d8a1a73572a1a49372c9b7adfa471a3a1302dc71c4547685bcbb1eda432
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f Sardonic
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports