The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Fin8 Using Sardonic Backdoor

Jul 24, 2023 2:44:05 PM / by The Hivemind

Fin8Related Families: ALPHV

Executive Summary

Fin8 was observed leveraging Sardonic backdoor to deliver ALPHV ransomware. 

Key Takeaways

  • Fin8 was observed leveraging Sardonic backdoor to deliver ALPHV ransomware. 
  • The samples analyzed by Symantec appeared to be a rewritten variant of Sardonic written in C instead of C++.  
  • Sardonic backdoor allows the threat actor to run up to 10 sessions leveraging cmd.exe or other interactive processes.

What is Sardonic?

Symantec recently reported on Fin8 activity leveraging Sardonic backdoor to deliver ALPHV ransomware. Sardonic is a C++ based backdoor that has been in the wild since at least 2021. Sardonic can collect information, execute commands, and deploy malicious DLL plugin modules. The samples analyzed by Symantec appeared to be a rewritten variant of Sardonic written in C instead of C++.

The backdoor was embedded indirectly into a PowerShell script that infected victim machines. The PowerShell script code deletes the script file, checks the architecture, and chooses a 32-bit or 64-bit version of an encoded .NET loader, as appropriate.

The .NET loader is decoded and loaded into the current process. The code then triggers the main functionality of the .NET loader. The .NET loader itself is an obfuscated .NET DLL containing two blobs, the injector, and the backdoor. The injector is in the form of shellcode and is used to start the backdoor in a newly created WmiPrvSE.exe process. The backdoor is also shellcode.Sardonic backdoor allows the threat actor to run up to 10 sessions leveraging cmd.exe or other interactive processes. It also uses multiple formats to extend its functionality. These include PE DLL plugins, shellcode plugins, and shellcode that passes arguments using another convention.

Who is Fin8?

Fin8, also known as Syssphinx, is a financially motivated threat actor group. The group has been active since at least 2016. Fin8 targets have included entities in the hospitality, retail, entertainment, insurance, technology, chemical, and financial verticals. Fin8 TTPs include but are not limited to ransomware, extortion, living off the land techniques, social engineering, and spearphishing.

IOCs

PolySwarm has multiple samples associated with this activity.

 

5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28

72fd2f51f36ba6c842fdc801464a49dce28bd851589c7401f64bbc4f1a468b1a

6cba6d8a1a73572a1a49372c9b7adfa471a3a1302dc71c4547685bcbb1eda432

 

You can use the following CLI command to search for all xx samples in our portal:

$ polyswarm link list -f Sardonic

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, ALPHV, Backdoor, Fin8, Sardonic

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts