Home / Threat Actors / FIN8 Threat Actor Profile

FIN8 Overview

The threat actor group, tracked as FIN8, has been active since at least 2016 and is primarily focused on financially motivated cyber operations. The group has targeted several industry sectors including insurance, retail, technology, and chemical sectors, by compromising point-of-sale (PoS) systems and stealing payment card data.

FIN8 is known for deploying malware such as PUNCHTRACK and BADHATCH to infect PoS systems. Recently, it has been linked to the White Rabbit ransomware operation, which shares a malicious URL and a version of the FIN8 backdoor called BADHATCH. The White Rabbit ransomware is a new strain that borrows features from the Egregor ransomware. It uses a double-extortion technique and is delivered via the Cobalt Strike post-exploitation framework. The exact relationship between FIN8 and White Rabbit is still unknown, but there are indications of a close connection or possible mimicry. FIN8 was recently detected to have utilised an enhanced rendition of the Sardonic backdoor to deliver the ALPHV (also known as BlackCat) ransomware variant.

FIN8 constantly develop their malware toolset as well as their tactics. Due to their recent pivoting towards theincorporation of ransomware such as ALPHV into their attack chain and the success of the associated campaign, it is likely that this trend will continue.

Targeted Sectors

FIN8 have targeted several industry sectors including insurance, retail, technology, and chemical sectors, by compromising PoS systems and stealing payment card data.

Threat Actor Motivations

The motives of FIN8 can be evaluated by observing the strategies they apply within the context of their campaigns. Due to their target set, as well as the list of intrusion methods applied by the group, it is almost certainly the case that Sangria Tempest operations are motivated purely on the basis of financial gain.

Threat Actor Activity Timeline

  • 2016: FIN8 initiated an attack campaign against PoS systems in the retail sector. The attacks were initiated via spear-phishing attempts and the exploitation of a Windows zero-day flaw to infect target networks with the ShellTea and PoSlurp malware, which were used to steal payment card details from PoS systems.
  • 2019: FIN8 initiated an attack campaign against organisations in the hospitality sector. The group utilised the same malware toolset from previous campaigns but, in this instance, re-emerged with an enhanced version of the malware variants, allowing for detection evasion and improved persistence.
  • 2021: FIN8 targeted organisations within the financial sector with an updated version of the BADHATCH backdoor malware, named Sardonic. Sardonic allowed for the deployment of additional malware payloads, preventing the group from having to re-infect target systems.
  • 2023: FIN8 emerged in an attack campaign, whereby they utilised an enhanced rendition of the Sardonic backdoor to deliver the ALPHV ransomware variant. This was a significant shift within the threat landscape as it demonstrated that the group had pivoted from their traditional PoS targeting to ransomware attacks, almost certainly in an attempt to maximise profit.

Associated Malware

  • ALPHV (BlackCat) ransomware: ALPHV (BlackCat) ransomwarewas recently detected as being deployed by FIN8 in an attack campaign. The ransomware is delivered using a revamped version of the Sardonic backdoor, which is capable of harvesting system data, executing commands, and loading additional malware payloads as dynamic-link libraries (DLLs).
  • BADHATCH: FIN8 recently resurfaced with an updated version of their BADHATCH backdoor malware. The group leverages BADHATCH to infect PoS systems and steal payment card data. The enhanced rendition includes enhanced capabilities such as screen capturing, proxy tunnelling, credential theft, and fileless execution. The group has also been observed deploying the BADHATCH loader utilising PowerShell scripts downloaded from specific IP addresses. Additionally, a connection has been made between the White Rabbit ransomware operations involving FIN8, as both use the same malicious URL and a version of BADHATCH to infect PoS systems and steal payment card data.
  • Sardonic backdoor: The Sardonic malware is a powerful and actively developed backdoor that has been notoriously used by FIN8. Sardonic has the ability to harvest system data, execute commands, and load and execute additional malware payloads delivered as DLLs. It supports up to 10 interactive sessions for the group to execute malicious commands and contains a plugin system for executing additional DLL and shellcode. The malware has also been detected as being deployed via PowerShell scripts downloaded from specific IP addresses. FIN8 has recently been using Sardonic to deliver the ALPHV ransomware.
  • White Rabbit ransomware: The White Rabbit ransomware is a relatively new malware family that has been observed in attacks since at least July 2021 and has been heavily linked to FIN8, based on shared infrastructure and the use of the BADHATCH backdoor. The ransomware uses a double-extortion technique, threatening victims to release their stolen data if they do not pay the ransom. It is also notable for requiring a specific command-line password to decrypt its internal configuration and execute its ransomware routine. It is likely that White Rabbit is deployed via the Cobalt Strike command-and control (C2) framework.

Indicators of Compromise

FIN8 Associated File Hashes (SHA-256):

  • 32863daa615afbb3e90e3dad35ad47199050333a2aaed57e5065131344206fe1
  • 5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28
  • e058280f4b15c1be6488049e0bdba555f1baf42e139b7251d6b2c230e28e0aef
  • 6cba6d8a1a73572a1a49372c9b7adfa471a3a1302dc71c4547685bcbb1eda432
  • 72fd2f51f36ba6c842fdc801464a49dce28bd851589c7401f64bbc4f1a468b1a
  • edfd3ae4def3ddffb37bad3424eb73c17e156ba5f63fd1d651df2f5b8e34a6c7
  • 0980aa80e52cc18e7b3909a0173a9efb60f9d406993d26fe3af35870ef1604d0
  • 6f0f702fc0f0a5420a1dbaf1aa88b13b557bebc2631a4157b8e026d80f7651b2
  • 05236172591d843b15987de2243ff1bfb41c7b959d7c917949a7533ed60aafd9
  • 1d3e573d432ef094fba33f615aa0564feffa99853af77e10367f54dc6df95509
  • 2cd2e79e18849b882ba40a1f3f432a24e3c146bb52137c7543806f22c617d62c
  • 307c3e23a4ba65749e49932c03d5d3eb58d133bc6623c436756e48de68b9cc45
  • 356adc348e9a28fc760e75029839da5d374d11db5e41a74147a263290ae77501
  • 4db89c39db14f4d9f76d06c50fef2d9282e83c03e8c948a863b58dedc43edd31
  • 5634140992891d2382fa103031b96023b75470ecd1bf0cf88006a45e63ef41bc
  • 64f8ac7b3b28d763f0a8f6cdb4ce1e5e3892b0338c9240f27057dd9e087e3111
  • 78109d8e0fbe32ae7ec7c8d1c16e21bec0a0da3d58d98b6b266fbc53bb5bc00e
  • 8637b972d5db5c4cb152b0a42f4866c9b574e68023b7620911af8e3d472d4701
  • 8cfb05cde6af3cf4e0cb025faa597c2641a4ab372268823a29baef37c6c45946
  • a9dcdf037d39e88bc71ae844971e63aa78379d50ce47e8aaad0e4b1baf6c7040

FIN8 Associated IP Addresses:

  • 37[.]10[.]71[.]215
  • 89[.]45[.]4[.]192

FIN8 Associated Domains:

  • api-cdn[.]net
  • api-cdnw5[.]net
  • git-api[.]com
  • 104-168-237-21[.]sslip[.]io

Mitre Methodologies

T1590.004 – Gather Victim Network Information: Network Topology

Initial Access
T1566.001 – Phishing: Spearphishing Attachment

T1047 – Windows Management Instrumentation
T1059.001 – Command and Scripting Interpreter: PowerShell

T1574.002 – Hijack Execution Flow: DLL Side-Loading

Privilege Escalation
T1574.002 – Hijack Execution Flow: DLL Side-Loading

Defense Evasion
T1562.001 – Impair Defenses: Disable or Modify Tools
T1574.002 – Hijack Execution Flow: DLL Side-Loading

T1005 – Data from Local System
T1119 – Automated Collection

Command and Control
T1104 – Multi-Stage Channels

T1486 – Data Encrypted for Impact
T1565 – Data Manipulation

Containment, Mitigations and Remediations

To mitigate against the threat of financial malware, it is strongly recommended that the following defence strategies are adhered to:

  • Separate the PoS network from the networks utilised by employees or guests
  • Train employees on how to detect the markers of phishing e-mails
  • Apply an e-mail security solution to automatically discard malicious or suspicious attachments.

Further, a primary method of reducing the threat of the ransomware variants deployed by FIN8, such as ALPHV, is to detect it in the early stages through the use of an effective and monitored endpoint detection and response (EDR) solution. An effective EDR tool, such as the Microsoft Defender suite, will block ransomware attempts once detected. Organisations can also perform routine back-ups of sensitive data that is required for business operations and to keep a copy offline in case back-ups are impacted by the attack. Therefore, if a breach occurs and the business can no longer function, a back-up is ready to use, and the business can continue to operate with minimal disruption.

Additional information

BankInfoSecurity FIN8 Report
Bitdefender FIN8 Whitepaper