FIN8 Threat Actor Profile

The threat actor group, tracked as FIN8, has been active since at least 2016 and is primarily focused on financially motivated cyber operations. The group has targeted several industry sectors including insurance, retail, technology, and chemical sectors, by compromising point-of-sale (PoS) systems and stealing payment card data.

FIN8 is known for deploying malware such as PUNCHTRACK and BADHATCH to infect PoS systems. Recently, it has been linked to the White Rabbit ransomware operation, which shares a malicious URL and a version of the FIN8 backdoor called BADHATCH. The White Rabbit ransomware is a new strain that borrows features from the Egregor ransomware. It uses a double-extortion technique and is delivered via the Cobalt Strike post-exploitation framework. The exact relationship between FIN8 and White Rabbit is still unknown, but there are indications of a close connection or possible mimicry. FIN8 was recently detected to have utilised an enhanced rendition of the Sardonic backdoor to deliver the ALPHV (also known as BlackCat) ransomware variant.

FIN8 constantly develop their malware toolset as well as their tactics. Due to their recent pivoting towards the incorporation of ransomware such as ALPHV into their attack chain and the success of the associated campaign, it is likely that this trend will continue.