Sunday, July 21, 2024

FIN8 Revamped Hacking Toolkit with New Stealthy Attack Features

Syssphinx (aka FIN8) is a financially motivated cyber-crime group deploying revamped sardonic backdoor to deliver Noberus ransomware.

This group has been active since January 2016, targeting organizations such as hospitality, retail, entertainment, insurance, technology, chemicals, and finance sectors. 

It is also known for its notorious act of deploying various ransomware such as Ragnar Locker ransomware, white rabbit, and Noberous in its attacks on compromised devices.

Symantec researchers observed a recent attack of syssphinx and found that they employed a new variant of the previously used sardonic backdoor.


Unlike other APTs, syssphinx constantly switches its tools and techniques before commencing the attack to evade detection.

It employs spear phishing and social engineering to initialize the attack; later it deploys various backdoors to deliver various ransomware based on the attack.

In order to avoid similarities between the previously used backdoor and the current instance, it alters some of the features of the backdoor.

Revamped Backdoor Features:

Most of the object-oriented features of this backdoor have been replaced with a plain C implementation. 

The backdoor is delivered through a PowerShell script to infect the target machine.

Before commencing the attack, it checks for active sessions of the user machine and connects to the C2 server to establish persistence.

It encrypts the data with the RC4 algorithm using rc4_key as the encryption key. The keystream is reused when encrypting each individual field. 

Another notable feature is that the backdoor supports three different formats to extend its functionality such as PE DLL plugins, shellcode plugins, and shellcode with various arguments.

Also the backdoor has the ability to allow up to 10 interactive sessions to run at the same time. 

The attacker utilizes a stolen process token for each session to launch each process.

Indicators of Compromise

SHA256 File hashes:

307c3e23a4ba65749e49932c03d5d3eb58d133bc6623c436756e48de68b9cc45 – Hacktool.Mimikatz
48e3add1881d60e0f6a036cfdb24426266f23f624a4cd57b8ea945e9ca98e6fd – DLL file
4db89c39db14f4d9f76d06c50fef2d9282e83c03e8c948a863b58dedc43edd31 – 32-bit shellcode
356adc348e9a28fc760e75029839da5d374d11db5e41a74147a263290ae77501 – 32-bit shellcode
e7175ae2e0f0279fe3c4d5fc33e77b2bea51e0a7ad29f458b609afca0ab62b0b – 32-bit shellcode
e4e3a4f1c87ff79f99f42b5bbe9727481d43d68582799309785c95d1d0de789a – 64-bit shellcode
2cd2e79e18849b882ba40a1f3f432a24e3c146bb52137c7543806f22c617d62c – 64-bit shellcode
78109d8e0fbe32ae7ec7c8d1c16e21bec0a0da3d58d98b6b266fbc53bb5bc00e – 64-bit shellcode

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles