Financial cybercrime syndicate deploys reworked backdoor malware

A financially motivated cybercrime group has updated its bespoke backdoor malware in a continued attempt to deploy ransomware against targets around the world, researchers said Tuesday.

Security researchers recently observed Syssphinx, which is also tracked widely as FIN8 since its emergence in 2016, deploying a variant of its Sardonic backdoor to deliver Noberus ransomware but altered in a way to obfuscate its origins.

“Most of the backdoor’s code has been rewritten, such that it gains a new appearance,” researchers with the Symantec Threat Hunter Team, part of Broadcom, said in a report published Tuesday. “Some of the reworking looks unnatural, suggesting that the primary goal of the threat actors could be to avoid similarities with previously disclosed details.”

Syssphinx is known for attacking hospitality, retail, entertainment, insurance, technology, chemicals and finance organizations. The group started out with malware specialized for point-of-sale attacks to steal credit card details, but in the past few years it has evolved to deploy other groups’ ransomware variants in its attempts to swindle victims, researchers said.

In June 2021, for instance, researchers detected the group deploying Ragnar Locker ransomware onto compromised machines in a U.S. financial services company. Six months later the group deployed its own ransomware variant, dubbed “White Rabbit” based on the ransom note delivered, in an attack on a U.S. bank. And more recently, in December 2022, the group deployed Noberus, which emanates from the well-known BlackCat/AlphaV group.

“The Syssphinx group’s move to ransomware suggests the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations,” the Symantec researchers wrote.

The group is also known for taking extended breaks from public activity to refine its tactics, techniques and procedures, the researchers said. Nevertheless, given its consistent run from at least 2016 (maybe earlier), the group remains a potent threat.

“Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection,” the researchers said. “The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim organizations. The tools and tactics detailed in this report serve to underscore how this highly skilled financial threat actor remains a serious threat to organizations.”