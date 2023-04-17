



A new malware family called Domino has been observed since late February in attacks that deliver information-stealing programs and backdoors such as Cobalt Strike.

Researchers from IBM Security’s X-Force team believe the malware was deployed by former members of the Conti ransomware group and was developed by the FIN7 cybercriminal group, indicating at least some degree of collaboration between the two groups. I’m here. The researchers say their information comes from analyzing malware samples, so they have no additional information about the targets or victims of related campaigns. However, they believe Domino will be loaded by the Dave loader (previously used by the Conti group) to deliver final payloads like the Project Nemesis infostealer first advertised on the dark web in 2021. I know it was used for

Charlotte Hammond and Ole Villadsen, researchers at IBM Security X-Force, analyzed on Friday that the recently observed Dave sample was found to be loading new malware, which they dubbed the Domino Backdoor. This new backdoor collects basic system information and sends it to the C2, in return receiving an AES-encrypted payload.

The Domino malware has been active since at least October, but since February researchers have observed the Dave loader-Domino backdoor campaign, linking it to former members of the Conti and Trickbot syndicates. . Conti went out of business last year, but many of the Syndicate’s tools, including Dave loader, continue to be maintained and used by former members. Dave Loader has been observed in many campaigns deploying IcedID and Emotet, for example.

Researchers believe the malware was created by developers associated with the FIN7 cybercriminal group. FIN7 has been known to compromise software supply chains and use stolen credentials to launch data theft and ransomware attacks. This is due to Domino’s similarity to the Lizar malware family. FIN7’s reconnaissance toolset includes multiple components including a loader and numerous modules/plugins. In addition to the code duplication, Domino uses similar API calls, generates system IDs in a similar way, and has the same loader configuration structure as Lizar. The Domino backdoor also incorporates elements found in some of the plugins used by Lizar, the researchers said.

Once the Domino backdoor is deployed, it executes a second loader payload containing an encrypted .NET binary. The encrypted payload is a .NET infostealer called Project Nemesis that collects data from browsers and applications on target devices. In some cases, the Domino backdoor is designed to connect to a different C2 address on domain-joined systems, which is not Project Nemesis, but a higher-value target such as Cobalt Strike. It suggests that a functional backdoor is downloaded, researchers say.

This analysis is another example of the nuanced relationship between cybercrime groups and their members. As the threat landscape becomes more fluid, threat actors are collaborating, shutting down or rebranding, relying on affiliate models, and offering malware-as-a-service, complicating the analysis of security researchers. Often.

The use of malware associated with multiple groups in a single campaign, such as Dave Loader, Domino Backdoor, and Project Nemesis Infostealer, not only highlights the complexity involved in tracking attackers, but also how , also provides insight into who they work with, the researchers said.

