FIN8

Threat Actor updated 5 months ago (2024-05-04T17:18:46.902Z)
Download STIX
Preview STIX
FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance. FIN8 is known for its sophisticated evasion techniques such as using obfuscation and Windows Management Instrumentation (WMI) to remotely launch their PUNCHTRACK POS-scraping malware. Their activities in 2017 showcased these evasion techniques being implemented at an early stage of compromise. In one instance, they crafted a macro to use WMI to spawn the cmd.exe execution, effectively evading many detections based on parent-child process relationships. Recently, threat researchers from Symantec, a part of Broadcom, observed the FIN8 group deploying a variant of the Sardonic backdoor to deliver the Noberus ransomware. This marks a significant shift in the group's modus operandi, indicating their continuous evolution and adaptability. The Sardonic backdoor has been revamped by FIN8 for this purpose, demonstrating the group's technical prowess and commitment to developing new tools and tactics for their campaigns. The resurgence of FIN8 with the new Sardonic backdoor poses a significant threat to financial institutions and other targeted industries. The group's focus on ransomware, particularly through the delivery of the Noberus and BlackCat variants, underscores their intent to cause substantial harm and disruption. It is imperative for organizations to stay updated about the evolving strategies of threat actors like FIN8 and implement robust cybersecurity measures to protect against such threats.
Description last updated: 2024-05-04T16:34:39.361Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Syssphinx is a possible alias for FIN8. Syssphinx, also known as FIN8, is a threat actor that has been active since 2016. This group is known for taking extended breaks between attack campaigns to refine its tactics, techniques, and procedures (TTPs). For instance, Syssphinx had used backdoor malware called Badhatch in attacks since 2019,
5
Alphv is a possible alias for FIN8. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its la
4
Noberus is a possible alias for FIN8. Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr
3
White Rabbit is a possible alias for FIN8. White Rabbit is a notable threat actor in the cybersecurity landscape, known for its malicious activities and association with other prominent hacking groups. The group's name, derived from the character in Alice's Adventures in Quantum Wonderland, signifies its unique approach to cyber attacks. In
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
netscaler
Backdoor
Vulnerability
citrix
Cybercrime
Exploit
Exploits
Sophos
RCE (Remote ...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sardonic Malware is associated with FIN8. Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal personUnspecified
5
The Ragnar Locker Malware is associated with FIN8. Ragnar Locker is a type of malware, specifically ransomware, known for its destructive impact on computer systems. It infiltrates systems primarily through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransUnspecified
2
The PUNCHTRACK Malware is associated with FIN8. Punchtrack is a malicious software (malware) utilized by the cybercrime group FIN8 to exploit and damage computer systems, particularly Point-of-Sale (PoS) systems. This malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, with the intent to steaUnspecified
2
The BADHATCH Malware is associated with FIN8. Badhatch is a backdoor malware that has been in use since 2019, primarily by the cybercriminal group known as Syssphinx. The malware is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without the user's knowledge. Once insideUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-3519 Vulnerability is associated with FIN8. CVE-2023-3519 is a critical remote code execution vulnerability that has affected Citrix's NetScaler ADC and NetScaler Gateway products. The vulnerability, which was given a severity rating of 9.8 out of 10 on the CVSS vulnerability scale, allows an attacker to exploit a flaw in software design or iUnspecified
4
Source Document References
Information about the FIN8 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
10 months ago
CERT-EU
7 months ago
CERT-EU
8 months ago
Recorded Future
8 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
MITRE
10 months ago
MITRE
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago