The IT security researchers from IBM’s X-Force security department have tracked down a new malware family, which they have given the name “Domino”. This probably comes from developers who are close to the cyber criminals of the FIN7 group. Former members of the Conti/Trickbot cybergang have been using Domino since the end of February to distribute an infostealer called Project Nemesis or more extensive backdoors such as Cobalt Strike on victim systems.
According to Charlotte Hammond, this discovery shows how complicated cooperation between cybercriminal groups and their members is IBM in a blog post out of. The IT researchers observed that the campaigns that installed the Domino backdoor have been using the so-called Dave Loader since the end of February. He was assigned to the Trickbot/Conti syndicate and its former members. Domino’s code shows overlaps with the Lizar malware, also known as Tirion or Diceloader, leading researchers to suspect that it was created by current or former FIN7 developers. One of the pests installed with Domino is the info-stealer Project Nemesis. This was advertised on the Darknet from December 2021, but has only rarely been used since then.
Attribution of Malware to Cyber Groups
Former Conti members are likely behind recent malware campaigns that use the Dave loader to download the Domino backdoor. This is probably due to a collaboration with current or former FIN7 programmers to buy or use the new malware family. According to IBM X-Force findings, the Dave Loader belongs to the Conti Group. Even though the faction has broken up, many of their loaders and crypters are further developed and used by former Cybergang members and their new factions, such as Quantum, Royal, Blackbasta or Zeon.
The Dave Loader, recently used with several Cobal Strike samples and a specific watermark, could be traced back to groups with ex-Conti members like Quantum and Royal. Cobalt Strike samples with the concrete watermark loaded with the Dave Loader have been observed by IBM X-Force in attacks by the Royal cybergang since autumn 2022. Also this year, the loader has already been used to load IcedID and Emotet, both of which serve as initial access vectors for ransomware attacks from earlier Conti-affiliated groups.
The ties to FIN7 are evident from overlapping code shared by the Domino backdoor and loaders with the Lizar malware, which is attributable to the cybergang. In addition to similarities in programming style and functionality, Domino and Dice-Loader shared the same configuration structure and bot ID formats. Lizar was reportedly first deployed in March 2020 when it was still called Tirion. Since then, the malware has been observed in numerous FIN7 campaigns until the end of 2022. Domino has been in the wild since at least October 2022, since then sightings of Lizar have decreased.
Another indication is the initial use of the NewWorldOrder loader towards the end of last year. It was also used to load the backdoor carbanak that FIN7 has been using since 2015. The IP addresses of the Domino backdoor’s command and control servers are close to those FIN7 used earlier for SSH-based backdoors. Although IP addresses are not sufficient for a secure assignment, they show a certain consistency of the results.
FIN7 and Conti have worked together before
The collaboration is nothing new. According to Hammond, IT researchers observed attacks with the Ryuk ransomware from FIN7 as early as 2020, which is assigned to the Trickbot/Conti syndicate. Still others have found connections between a FIN7 programmer and tools used by the Blackbasta group, which in turn has links to the former Conti gang.
Hammond concludes that the tangled links offer cybercriminals opportunities. However, the result also shows how complex the tracking of cyber actors has become. In addition to these connections between the various cybercriminals, the blog post provides even more detailed analyzes of the malware samples and infection indicators (Indicators Of Compromise, IOCs) mentioned.
(dmk)
