A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to nefarious use by the now-defunct Conti ransomware gang members, indicating collaboration between the two crews. The malware, named Domino, is primarily designed to facilitate follow-on exploitation of compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021.
Former TrickBot/Conti syndicate members have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike. FIN7, also called Carbanak and ITG14, is a prolific Russian-speaking cybercriminal syndicate that employs an array of custom malware to deploy additional payloads and broaden its monetization methods.
Recent analyses by cyber threat investigators have revealed the group's role as a precursor for Maze and Ryuk ransomware attacks, not to mention exposing its connections to Black Basta, DarkSide, REvil, and LockBit families.
The latest intrusion wave spotted two months ago involves using Dave Loader, a crypto previously attributed to the Conti group (Gold Blackburn, ITG23, or Wizard Spider), to deploy the Domino backdoor. Domino's potential connections to FIN7 come from source code overlaps with DICELOADER (Lizar or Tirion), a time-tested malware family attributed to the group. The malware, for its part, is designed to gather basic sensitive information and retrieve encrypted payloads from a remote server.
This next-stage artifact is a second loader codenamed Domino Loader, which harbors an encrypted .NET information stealer referred to as Project Nemesis that is capable of amassing sensitive data from the clipboard, Discord, web browsers, crypto wallets, VPN services, and other apps. Domino has been active in the wild since at least October 2022, notably when Lizar's observations began to decrease, indicating that the threat actors may be phasing out the latter in favor of the new malware.
Another crucial link bridging Domino to FIN7 comes from a December 2022 campaign that leveraged another loader called NewWorldOrder Loader to deliver both the Domino and Carbanak backdoors. The Domino backdoor and loader, both 64-bit DLLs written in Visual C++, are said to have been used to install Project Nemesis since at least October 2022, before its use by ex-Conti members earlier this year.
This leads researchers to assess that the ITG14 members responsible for developing Domino probably had a relationship with Project Nemesis and offered Domino and the Infostealer to the ex-Conti threat actors as a package. The use of stealer malware by ransomware distributors is not without precedent. In November 2022, Microsoft cyber threat investigators revealed intrusions mounted by a threat actor known as DEV-0569 that leveraged BATLOADER malware to deliver Vidar and Cobalt Strike, the latter of which eventually facilitated human-operated ransomware attacks distributing Royal ransomware.
This has raised the possibility that information stealers are deployed during lower priority infections (e.g., personal computers), while those belonging to an Active Directory domain are served with Cobalt Strike.
Using malware with ties to multiple groups in a single campaign, such as Dave Loader, Domino Backdoor, and Project Nemesis Infostealer, highlights the complexity of tracking threat actors and provides insight into how and with whom they operate.
Note: Please visit https://redskyalliance.org for reports on the following groups:
- Conti/Trickbot
- Carbanak
- Black Basta
- DiceLoader
- Maze and Ryuk ransomware
The reports are indexed by group/malware names and can be easily searched online. All reports are available at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments