White Rabbit

The financially motivated FIN8 actor, in all likelihood, has resurfaced with a never-before-seen ransomware strain called "White Rabbit" that was recently deployed against a local bank in the U.S. in December 2021.

That's according to new findings published by Trend Micro, calling out the malware's overlaps with Egregor, which was taken down by Ukrainian law enforcement authorities in February 2021.

"One of the most notable aspects of White Rabbit's attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine," the researchers noted. "This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis."


Egregor, which commenced operations in September 2020 until its operations took a huge hit, is widely believed to be a reincarnation of Maze, which shut down its criminal enterprise later that year.

Besides taking a leaf out of Egregor's playbook, White Rabbit adheres to the double extortion scheme and is believed to have been delivered via Cobalt Strike, a post-exploitation framework that's put to use by threat actors to reconnoiter, infiltrate, and drop malicious payloads into the affected system.

White Rabbit

Double extortion, also known as pay-now-or-get-breached, refers to an increasingly popular ransomware strategy in which valuable data from the targets is exfiltrated prior to launching the encryption routine, followed by pressurizing the victims into paying up to prevent the stolen information from being published online.

Indeed, the ransom note displayed after the completion of the encryption process warns the victim that their data will be published or sold once the four-day deadline to meet their demands elapses. "We will also send the data to all interested supervisory organizations and the media," the note adds.


Although real-world attacks involving White Rabbit have gained attention only recently, digital forensic clues piecing together its trail point to a string of malicious activities commencing as early as July 2021.

What's more, analysis of the ransomware samples dating back to August 2021 shows that the malware is an updated version of the Sardonic backdoor, which Bitdefender described last year as an actively developed malware encountered in the aftermath of an unsuccessful attack targeting a financial institution in the U.S.

"The exact relationship between the White Rabbit group and FIN8 is currently unknown," cybersecurity company Lodestone said, adding it found a "number of TTPs suggesting that White Rabbit, if operating independently of FIN8, has a close relationship with the more established threat group or is mimicking them."

"Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware," Trend Micro said. "So far, White Rabbit's targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.