Saturday, January 18, 2025
Homecyber securityEx-Conti and FIN7 Hackers Team Up To Develop Domino Backdoor Malware

Ex-Conti and FIN7 Hackers Team Up To Develop Domino Backdoor Malware

Published on

SIEM as a Service

Follow Us on Google News

The X-Force team at IBM has recently found a new malware family known as “Domino,” made by ITG14, aka FIN7, a notorious group of cyber criminals.

ITG23, a Trickbot/Conti gang monitored by X-Force, has been deploying the newly discovered malware, “Domino,” since February 2023.

The former members of this group have been using it to distribute information-stealing software:-

  • Project Nemesis
  • Cobalt Strike

The recent cyberattacks utilizing the Dave Loader to inject the Domino Backdoor are possibly linked to former members of ITG23.

The new malware family was likely obtained and used by these individuals in collaboration with current or former ITG14 developers.

Here Dave is a loader developed by the Trickbot/Conti members. While it’s believed to be composed of ex-members of the Trickbot/Conti syndicate, namely:- 

  • Quantum
  • Royal

Cybersecurity experts also discovered that Dave samples are being used to load the new malware called “Domino Backdoor.”

Domino Backdoor

With this new backdoor, gathering information about the system at the primary level is possible.

It then transmits the data gathered to the C2 and receives a payload encrypted with AES.  

This backdoor is completely capable of gathering information about the system.

It then transmits the data gathered to the C2 and receives a payload encrypted with AES.

Cybersecurity researchers recently detected Cobalt Strike beacons deployed by this loader with the ‘206546002’ watermark.

This watermark was previously observed in ransomware attacks by ex-Conti members during the Royal and Play operations.

Domino Backdoor is mainly a 64-bit DLL, and the system data that it gathers are like:-

  • Running processes
  • Usernames
  • Computer names

Upon installation of the backdoor, Domino Loader downloads an embedded info-stealer built on .NET, ‘Nemesis Project,’ which is then executed.

Project Nemesis can easily gather credentials from the following sources where they are stored in:

  • Browsers 
  • Applications
  • Cryptocurrency wallets
  • Browser history

Collab of ex-Conti members and FIN7

Cybercriminals are always looking for new opportunities, and it’s no surprise that ransomware threat actors often collaborate with other groups to disseminate the malware.

Things are getting shady in the world of cybersecurity! As time goes on, it’s becoming harder to distinguish between malware developers and ransomware gangs.

IBM’s latest findings have shed light on an exciting discovery. Apparently, the ‘NewWorldOrder’ loader, usually associated with FIN7’s Carbanak attacks, has been used to spread the Domino malware.

Dave Loader was discovered to be spreading the Domino malware, which then installs either Project Nemesis or Cobalt Strike beacons that are believed to be linked to the ransomware actions of a former member of the Conti group.

It’s challenging to track threat actors when they use malware linked to multiple groups in one campaign. As it clearly shows how complicated it could be.

Building Your Malware Defense Strategy – DownloFree E-Book

Also Read

Chinese APT Hackers Using Custom Versions of Cobalt Strike to Deploy Backdoor Malware

Hackers Abusing Open RDP ports For Remote Access using Windows Backdoor Malware

Chinese APT Hacker Group Using Old Windows Logo to Hide a Backdoor Malware

TA505 APT Hackers Launching ServHelper Backdoor Malware via Weaponized Excel Documents

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....