Tuesday, October 8, 2024
Homecyber securityEx-Conti and FIN7 Hackers Team Up To Develop Domino Backdoor Malware

Ex-Conti and FIN7 Hackers Team Up To Develop Domino Backdoor Malware

Published on

The X-Force team at IBM has recently found a new malware family known as “Domino,” made by ITG14, aka FIN7, a notorious group of cyber criminals.

ITG23, a Trickbot/Conti gang monitored by X-Force, has been deploying the newly discovered malware, “Domino,” since February 2023.

The former members of this group have been using it to distribute information-stealing software:-

- Advertisement - EHA
  • Project Nemesis
  • Cobalt Strike

The recent cyberattacks utilizing the Dave Loader to inject the Domino Backdoor are possibly linked to former members of ITG23.

The new malware family was likely obtained and used by these individuals in collaboration with current or former ITG14 developers.

Here Dave is a loader developed by the Trickbot/Conti members. While it’s believed to be composed of ex-members of the Trickbot/Conti syndicate, namely:- 

  • Quantum
  • Royal

Cybersecurity experts also discovered that Dave samples are being used to load the new malware called “Domino Backdoor.”

Domino Backdoor

With this new backdoor, gathering information about the system at the primary level is possible.

It then transmits the data gathered to the C2 and receives a payload encrypted with AES.  

This backdoor is completely capable of gathering information about the system.

It then transmits the data gathered to the C2 and receives a payload encrypted with AES.

Cybersecurity researchers recently detected Cobalt Strike beacons deployed by this loader with the ‘206546002’ watermark.

This watermark was previously observed in ransomware attacks by ex-Conti members during the Royal and Play operations.

Domino Backdoor is mainly a 64-bit DLL, and the system data that it gathers are like:-

  • Running processes
  • Usernames
  • Computer names

Upon installation of the backdoor, Domino Loader downloads an embedded info-stealer built on .NET, ‘Nemesis Project,’ which is then executed.

Project Nemesis can easily gather credentials from the following sources where they are stored in:

  • Browsers 
  • Applications
  • Cryptocurrency wallets
  • Browser history

Collab of ex-Conti members and FIN7

Cybercriminals are always looking for new opportunities, and it’s no surprise that ransomware threat actors often collaborate with other groups to disseminate the malware.

Things are getting shady in the world of cybersecurity! As time goes on, it’s becoming harder to distinguish between malware developers and ransomware gangs.

IBM’s latest findings have shed light on an exciting discovery. Apparently, the ‘NewWorldOrder’ loader, usually associated with FIN7’s Carbanak attacks, has been used to spread the Domino malware.

Dave Loader was discovered to be spreading the Domino malware, which then installs either Project Nemesis or Cobalt Strike beacons that are believed to be linked to the ransomware actions of a former member of the Conti group.

It’s challenging to track threat actors when they use malware linked to multiple groups in one campaign. As it clearly shows how complicated it could be.

Building Your Malware Defense Strategy – DownloFree E-Book

Also Read

Chinese APT Hackers Using Custom Versions of Cobalt Strike to Deploy Backdoor Malware

Hackers Abusing Open RDP ports For Remote Access using Windows Backdoor Malware

Chinese APT Hacker Group Using Old Windows Logo to Hide a Backdoor Malware

TA505 APT Hackers Launching ServHelper Backdoor Malware via Weaponized Excel Documents

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....

American Water Works Cyber Attack Impacts IT Systems

American Water Works Company, Inc., a leading provider of water and wastewater services, announced...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....