FIN8 Group Using Modified Sardonic Malware for Deployment of BlackCat Ransomware

FIN8 Group Using Modified Sardonic Malware for Deployment of BlackCat Ransomware     

According to the Symantec Threat Hunter Team, the financially motivated threat actor known as FIN8 has been observed using an updated version of a malware called Sardonic to deliver the BlackCat ransomware. The update on the Sardonic malware is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. [1] 

The C++ based Sardonic backdoor has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs. Unlike the previous variant of Sardonic, which was designed in C++, the latest iteration packs in significant alterations, with most of the source code rewritten in C and modified so as to deliberately avoid similarities. 

In the latest incident analyzed by Symantec, Sardonic malware is embedded into a PowerShell script that was deployed into the targeted system after obtaining initial access. The script is designed to launch a .NET loader, which then decrypts and executes an injector module to ultimately run the implant. Successful infection leads to the deployment of BlackCat ransomware.    

*** This is a Security Bloggers Network syndicated blog from EclecticIQ Blog authored by Arda Büyükkaya. Read the original post at: https://blog.eclecticiq.com/fin8-group-using-modified-sardonic-malware-for-deployment-of-blackcat-ransomware