Ex-Conti and FIN7 Hackers Team Up To Develop Domino Backdoor Malware

The X-Force team at IBM has recently found a new malware family known as “Domino,” made by ITG14, aka FIN7, a notorious group of cyber criminals.

ITG23, a Trickbot/Conti gang monitored by X-Force, has been deploying the newly discovered malware, “Domino,” since February 2023.

The former members of this group have been using it to distribute information-stealing software:-

• Project Nemesis
• Cobalt Strike

The recent cyberattacks utilizing the Dave Loader to inject the Domino Backdoor are possibly linked to former members of ITG23.

The new malware family was likely obtained and used by these individuals in collaboration with current or former ITG14 developers.

Here Dave is a loader developed by the Trickbot/Conti members. While it’s believed to be composed of ex-members of the Trickbot/Conti syndicate, namely:- 

• Quantum
• Royal

Cybersecurity experts also discovered that Dave samples are being used to load the new malware called “Domino Backdoor.”

Domino Backdoor

With this new backdoor, gathering information about the system at the primary level is possible.

It then transmits the data gathered to the C2 and receives a payload encrypted with AES.  

This backdoor is completely capable of gathering information about the system.

It then transmits the data gathered to the C2 and receives a payload encrypted with AES.

Cybersecurity researchers recently detected Cobalt Strike beacons deployed by this loader with the ‘206546002’ watermark.

This watermark was previously observed in ransomware attacks by ex-Conti members during the Royal and Play operations.

Domino Backdoor is mainly a 64-bit DLL, and the system data that it gathers are like:-

• Running processes
• Usernames
• Computer names

Upon installation of the backdoor, Domino Loader downloads an embedded info-stealer built on .NET, ‘Nemesis Project,’ which is then executed.

Project Nemesis can easily gather credentials from the following sources where they are stored in:

• Browsers
• Applications
• Cryptocurrency wallets
• Browser history

Collab of ex-Conti members and FIN7

Cybercriminals are always looking for new opportunities, and it’s no surprise that ransomware threat actors often collaborate with other groups to disseminate the malware.

Things are getting shady in the world of cybersecurity! As time goes on, it’s becoming harder to distinguish between malware developers and ransomware gangs.

IBM’s latest findings have shed light on an exciting discovery. Apparently, the ‘NewWorldOrder’ loader, usually associated with FIN7’s Carbanak attacks, has been used to spread the Domino malware.

Dave Loader was discovered to be spreading the Domino malware, which then installs either Project Nemesis or Cobalt Strike beacons that are believed to be linked to the ransomware actions of a former member of the Conti group.

It’s challenging to track threat actors when they use malware linked to multiple groups in one campaign. As it clearly shows how complicated it could be.

Building Your Malware Defense Strategy – DownloFree E-Book

Also Read

Chinese APT Hackers Using Custom Versions of Cobalt Strike to Deploy Backdoor Malware

Hackers Abusing Open RDP ports For Remote Access using Windows Backdoor Malware

Chinese APT Hacker Group Using Old Windows Logo to Hide a Backdoor Malware

TA505 APT Hackers Launching ServHelper Backdoor Malware via Weaponized Excel Documents