Arda Büyükkaya
July 20, 2023

FIN8 Group Using Modified Sardonic Malware for Deployment of BlackCat Ransomware

Blog

tap 13 - 2023

FIN8 Group Using Modified Sardonic Malware for Deployment of BlackCat Ransomware     

According to the Symantec Threat Hunter Team, the financially motivated threat actor known as FIN8 has been observed using an updated version of a malware called Sardonic to deliver the BlackCat ransomware. The update on the Sardonic malware is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. [1

The C++ based Sardonic backdoor has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs. Unlike the previous variant of Sardonic, which was designed in C++, the latest iteration packs in significant alterations, with most of the source code rewritten in C and modified so as to deliberately avoid similarities. 

In the latest incident analyzed by Symantec, Sardonic malware is embedded into a PowerShell script that was deployed into the targeted system after obtaining initial access. The script is designed to launch a .NET loader, which then decrypts and executes an injector module to ultimately run the implant. Successful infection leads to the deployment of BlackCat ransomware.    

Revolut Faces $20 Million Loss After Exploitation of Payment System Weakness   

Revolut, a fintech firm, has suffered a significant loss due to a flaw in its payment systems. The flaw, which was exploited by malicious actors, resulted in the theft of more than $20 million of the company's funds in early 2022. 

The issue originated from discrepancies between Revolut's U.S. and European systems. This led to funds being erroneously refunded using Revolut's own money when some transactions were declined. The problem was first detected in late 2021. However, before it could be resolved, organized cybercrime groups exploited the loophole. They encouraged individuals to attempt expensive purchases that would be declined, and the refunded amounts were then withdrawn from ATMs. 

The mass fraud scheme resulted in a net loss of about $20 million for Revolut. This disclosure comes less than a week after Interpol announced the arrest of a suspected senior member of a French-speaking hacking crew known as OPERA1ER, which has been linked to attacks aimed at financial institutions and banking services with phishing campaigns. [2]   

Charming Kitten Threat Actor use “NokNok” Malware for Targeting macOS Users     

Proofpoint security researchers observed a new campaign they attributed to the Charming Kitten APT group –  also known publicly as APT42, Mint Sandstorm, Yellow Garuda and TA453, where the threat actor used the new NokNok malware that targets macOS systems. 

In mid-May 2023, Charming Kitten Threat Actor masqueraded as experts with the Royal United Service Institute (RUSI) and sent phishing lures to the public media contact of a US-based think tank focused on foreign affairs. 

The email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review. The initial email mentioned the participation of other nuclear experts, these are in fact additional fake personas used in further correspondence with the victim to build rapport and give a sense of legitimacy. 

According to Proofpoint, Charming Kitten continues to significantly adapt its infection chains to complicate detection efforts and conduct cyber espionage operations against its targets of interest. The use of Google Scripts, Dropbox, and CleverApps demonstrate that Charming Kitten continues to subscribe to a multi-cloud approach in its efforts to likely minimize disruptions from threat hunters.[3]  

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: TAXII v1 Discovery services.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

You might also be interested in:

Spearphishing Campaign Targets Zimbra Webmail Portals of Government Organizations

8Base Ransomware Surge; SmugX Targeting European Governments; Russian-Linked DDoS Warning

Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure

Appendix

[1] “FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware.” https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor (accessed Jul. 19, 2023). 

[2] “Revolut Faces $20 Million Loss as Attackers Exploit Payment System Weakness,” The Hacker News. https://thehackernews.com/2023/07/hackers-steal-20-million-by-exploiting.html (accessed Jul. 12, 2023). 

[3] “Charming Kitten hackers use new ‘NokNok’ malware for macOS,” BleepingComputer. https://www.bleepingcomputer.com/news/security/charming-kitten-hackers-use-new-noknok-malware-for-macos/ (accessed Jul. 12, 2023). 




 

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo