Search This Blog

Powered by Blogger.

Blog Archive

Labels

Domino Backdoor Malware Created by FIN7 and Ex-Conti

A distribution campaign for a recent backdoor shows a collaboration between Conti ransomware developers and FIN7 APT developers.

 


Members of the now-defunct Conti ransomware gang have been using a new strain of malware developed by threat actors likely affiliated with the FIN7 hacking group. This suggests that the two teams collaborated in the malware development, indicating a cooperative effort. 

In the past month, IBM discovered an innovative malware family known as "Domino," which was developed by ITG14, aka FIN7, one of the most notorious cybercrime groups in the world. A lesser-known information stealer that has been advertised for sale on the dark web since December 2021 is included in Domino, which facilitates further exploitation of compromised systems.

Research by the X-Force team revealed that in May, when the Conti gang was disbanded, Conti threat actors began using Domino. This was about four months after FIN7 started using Domino in October last year.  

The newly discovered Trojan horse, "Domino," has been used by a Trickbot/Contini gang, ITG23, since February 2023, according to X-Force. 

Domino's code overlaps Lizar malware, previously linked to the FIN7 group, which IBM has discovered, according to an IBM research report. There are also similarities between malware families in terms of their functionality, configuration structure, and formats used for handling bots. 

In some recent campaigns, IBM's security researchers reported that Lizar, also known as Tirion and Dice Loader, may have been used instead of Lizar for attacks between March 2020 and late 2022. 

According to IBM researchers, there have been attacks using a malware loader, known as Dave Loader, which was previously used by Conti ransomware and TrickBot members in the fall of 2022. 

In attacks against the Royal and Play ransomware operations carried out by ex-Conti members, it was observed that this loader was deploying Cobalt Strike beacons that used a '206546002' watermark. 

Former members of ITG23 could be behind the recent cyberattacks that are believed to have been carried out using the Dave Loader to inject the Domino Backdoor. 

ITG14, also known as FIN7, is a prolific Russian-speaking cybercriminal syndicate that is known for employing a variety of custom malware to deploy additional payloads to increase their monetization methods and enlarge their distribution channels. 

There is a 64-bit DLL called Domino Backdoor, which will enumerate system information, such as the names and statuses of processes, usernames, and computers, and send that information back to the attacker's Command & Control server, where it can be analyzed. Backdoors receive commands to be executed, and they can also be delivered in the future. 

An observation was made that the backdoor had downloaded an additional loader, Domino Loader, that installed an embedded information-stealer calling itself 'Nemesis Project.' Additionally, it could plant a Cobalt Strike beacon to ensure the backdoor was not identified as a backdoor. 

A Conti loader called "Dave" was used by the threat actors during the campaign to drop FIN7's Domino backdoor on the endpoints. The backdoor was able to gather basic information about the system at hand and send it to a command and control server (C2). 

Upon being hacked, the C2 returned to the compromised system a payload that was encrypted with AES. It was found in many cases that the encrypted payload was another loader with several code similarities to the initial backdoor used by Domino. On the compromised system, either the Cobalt Strike info stealer or the Project Nemesis info stealer was installed by the Domino loader to complete the attack chain. 

The majority of threat actors, especially those who use ransomware to spread malware and gain access to corporate networks, partner with other threat groups to distribute malware. There is now little distinction between malware developers and ransomware gangs as the lines between them have gotten blurry over the years, making it difficult to distinguish between them. 

It was only a matter of time before the lines between TrickBot and BazarBackdoor became blurred as the Conti cybercrime syndicate, based in Rome, assumed control over both sites' development for its exploitation. 

According to Microsoft, a threat actor called DEV-0569 published intrusions committed in November 2022 that incorporated BATLOADER malware for delivering Vidar, and Cobalt Strike ransomware, and the latter eventually enabled the human-operated ransomware attacks that distributed Royal in December 2022. 

As the world of cybersecurity becomes increasingly shady, things are getting a bit murky. The issue of distinguishing malware developers from ransomware gangs is becoming increasingly difficult as time goes by.
Share it:

Cobalt Strike

Cyber Attacks

Cyberfrauds

Cybersecurity

Domino

IBM

malware

Ransomware