FIN8 Cyber Group Enhances Privilege Escalation Tactics

Picus Security reports that the financially motivated FIN8 cybercriminal group has intensified its campaigns, focusing on advanced privilege escalation. Active since at least 2016, FIN8 is known for its stealth and adaptability, employing an evolving arsenal of malware.

Recent campaigns observed by Picus Security show FIN8 integrating tools like Sardonic (also known as Ragnar Loader) and Exocet. These tools are used to elevate privileges, bypass defenses, and maintain prolonged access to target systems, often in preparation for deploying ransomware such as BlackCat/ALPHV and White Rabbit.

The group's tactics emphasize subtlety. FIN8 commonly uses PowerShell, WMI, and native Windows tools for reconnaissance and establishing persistence. Rather than dropping detectable files, they execute code directly in memory and employ WMI event subscriptions for stealthy operations. These fileless and evasive methods make them difficult for traditional signature-based security solutions to detect.

Picus Security's analysis indicates that FIN8's attack chain typically involves reconnaissance, credential harvesting, and culminates in ransomware deployment. A key factor in their success is their ability to adapt; for instance, the Sardonic malware has been rewritten to improve evasion. This continuous refinement makes FIN8 a significant threat to organizations globally. Picus Security advises organizations to monitor FIN8's activities and continuously test their defenses to stay ahead of the group's evolving tactics and techniques.