Security News > 2022 > January > FIN8 Hackers Spotted Using New 'White Rabbit' Ransomware in Recent Attacks

The financially motivated FIN8 actor, in all likelihood, has resurfaced with a never-before-seen ransomware strain called "White Rabbit" that was recently deployed against a local bank in the U.S. in December 2021.

"One of the most notable aspects of White Rabbit's attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine," the researchers noted.

Besides taking a leaf out of Egregor's playbook, White Rabbit adheres to the double extortion scheme and is believed to have been delivered via Cobalt Strike, a post-exploitation framework that's put to use by threat actors to reconnoiter, infiltrate, and drop malicious payloads into the affected system.

Although real-world attacks involving White Rabbit have gained attention only recently, digital forensic clues piecing together its trail points to a string of malicious activities commencing as early as July 2021.

What's more, analysis of the ransomware samples dating back to August 2021 shows that the malware is an updated version of the Sardonic backdoor, which Bitdefender described last year as an actively developed malware encountered in the aftermath of an unsuccessful attack targeting a financial institution in the U.S. "The exact relationship between the White Rabbit group and FIN8 is currently unknown," cybersecurity company Lodestone said, adding it found a "Number of TTPs suggesting that White Rabbit, if operating independently of FIN8, has a close relationship with the more established threat group or is mimicking them."

"So far, White Rabbit's targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack."

News URL

https://thehackernews.com/2022/01/fin8-hackers-spotted-using-new-white.html