Syssphinx

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Syssphinx, also known as FIN8, is a threat actor that has been active since 2016. This group is known for taking extended breaks between attack campaigns to refine its tactics, techniques, and procedures (TTPs). For instance, Syssphinx had used backdoor malware called Badhatch in attacks since 2019, which was updated in December 2020 and then again in January 2021. In June 2021, Syssphinx was seen deploying the Ragnar Locker ransomware onto machines it had compromised in a financial services company in the U.S. The following year, in January 2022, a family of ransomware known as White Rabbit was linked to Syssphinx, with a malicious URL connected to both White Rabbit attacks and Syssphinx. The financially motivated group has recently been spotted using a revamped version of a backdoor tracked as Sardonic to deliver the BlackCat ransomware, also known as Noberus ransomware. Symantec observed an attack by Syssphinx in December 2022, where the attackers attempted to deploy the Noberus ransomware. This attack involved similar techniques to a Syssphinx attack described by Bitdefender researchers in 2021, but with some key differences, including the final payload being the Noberus ransomware and the use of a reworked backdoor. Attacks involving White Rabbit also used a variant of the Sardonic backdoor, a known Syssphinx tool. Syssphinx continues to evolve, developing and improving its capabilities and malware delivery infrastructure to avoid detection. Notably, the group has added a reworked backdoor to its arsenal for delivering ransomware. The group's move to ransomware suggests a strategic shift to diversify their focus in an effort to maximize profits from compromised organizations. Despite alterations made to obfuscate the origins of their tools, known Syssphinx techniques are still being utilized, indicating a persistent and evolving threat to cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
FIN8
5
FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
Noberus
3
Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr
White Rabbit
2
White Rabbit is a notable threat actor in the cybersecurity landscape, known for its malicious activities and association with other prominent hacking groups. The group's name, derived from the character in Alice's Adventures in Quantum Wonderland, signifies its unique approach to cyber attacks. In
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Backdoor
Malware
Cybercrime
Payload
Symantec
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SardonicUnspecified
3
Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal person
Ragnar LockerUnspecified
2
Ragnar Locker is a type of malware, specifically ransomware, which has been used in numerous cyber attacks globally. This malicious software infiltrates systems through suspicious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or hold data host
BADHATCHUnspecified
1
Badhatch is a backdoor malware that has been in use since 2019, primarily by the cybercriminal group known as Syssphinx. The malware is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without the user's knowledge. Once inside
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
1
AlphV, a notorious threat actor in the cybersecurity industry, has been responsible for numerous high-profile ransomware attacks. The group's activities include the theft of 5TB of data from Morrison Community Hospital and hacking Clarion, a global manufacturer of audio and video equipment for cars.
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Syssphinx Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
CERT-EU
a year ago
FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks
BankInfoSecurity
10 months ago
Ransomware Attack Specialist Tied to Citrix NetScaler Hacks
Securityaffairs
a year ago
FIN8 Group spotted delivering the BlackCat Ransomware
CERT-EU
a year ago
Cyber Security Today, July 19, 2023 – The Sturmous ransomware group is back, a ransomware gang adds a new backdoor, and more | IT World Canada News
CERT-EU
a year ago
FIN8 Revamped Hacking Toolkit with New Stealthy Attack Features
DARKReading
a year ago
FIN8 Modifies 'Sardonic' Backdoor to Deliver BlackCat Ransomware
CERT-EU
a year ago
Financial cybercrime syndicate deploys reworked backdoor malware
CERT-EU
a year ago
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware – Cyber Security Review