A financially-motivated cybercrime group known as FIN8 has been observed using an updated version of the Sardonic backdoor to deploy the BlackCat (ALPH, Noberus) ransomware.

The group, tracked by Symantec researchers as Syssphinx, has been active since at least 2016 and is known for its attacks on organizations in the hospitality, retail, entertainment, insurance, technology, chemicals, and finance sectors. The threat actor leverages living-off-the-land tactics, making use of built-in tools and interfaces such as PowerShell and WMI, and abusing legitimate services to disguise its activity. Initial access to the targeted networks is usually achieved via spear-phishing and social engineering attacks.

Over the years, FIN8 was observed utilizing several ransomware families such as Ragnar Locker, White Rabbit, and, most recently, BlackCat.

Besides the use of the BlackCat ransomware, the recent FIN8 attacks had some key differences from the previous group’s campaigns. For instance, the threat actor used the reworked Sardonic backdoor.

While the new version shares some similarities with the C++-based Sardonic backdoor analyzed by cybersecurity firm Bitdefender, most of its code has been rewritten.

“In addition, some of the reworkings look unnatural, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details,” Symantec notes in its technical report.

“[FIN8] continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection. The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim organizations,” the researchers concluded.