Go to listing page

Ex-Conti Members and Fin7 APT Join Hands for New Domino Backdoor

Ex-Conti Members and Fin7 APT Join Hands for New Domino Backdoor
Since late February, researchers at IBM Security X-Force have been tracking a new Domino malware attack campaign, linked to ITG23 (aka TrickBot/Conti syndicate). The backdoor, Domino, is believed to be the work of the FIN7 APT group and is being used to deploy either the Project Nemesis info-stealer or Cobalt Strike.

More in detail about the campaign 

According to researchers, ITG23 is using Dave Loader to load the Domino backdoor in its campaigns.  
  • The new backdoor is written in Visual C++ and designed to collect and send basic system information to the actor-controlled C2 server.
  • In some instances, Domino Loader was also used to deploy the Domino backdoor in the initial stage of the attack. 
  • This loader contained an encrypted payload called Project Nemesis info-stealer within its resources, which was executed in the final stage of the attack.

Analysis of Domino backdoor

Domino has been active in the wild since at least October 2022 and shares similarities with the Lizar malware, also known as Tirion and DiceLoader. 
  • In addition to sharing coding styles, the Domino backdoor and loader also share configuration structure and bot ID formats with the Lizar malware. 
  • Besides, X-Force researchers also found additional evidence connecting the Domino backdoor to Fin7’s Carbanak backdoor. 
  • Upon execution, Domino creates a bot ID for the infected system. This enables the threat actors to keep track of the compromised systems while pilfering the username and hostname and creating a hash of the collected data.

About Project Nemesis info-stealer

Project Nemesis info-stealer is a commodity malware written in .NET language.
  • It was first advertised for sale on the dark web in December 2021, although it was not frequently observed in the wild.
  • Upon execution, the malware collects a variety of information stored in Chromium-based browsers such as credentials, cookies, credit card details, bookmarks, autofill data, and history.
  • It is also capable of collecting crypto wallet data from MetaMask, TronLink, and Binance browser extensions.

Summing up
The use of malware across the campaign indicates the intricate relationship between cybercriminal groups and their members. This also highlights the complexity involved in tracking threat actors. Organizations and security teams need a robust Threat Intelligence Platform (TIP) to identify and understand the scope and extent of such attacks. With a suitable TIP, they can enrich and correlate IoCs associated with a threat and take necessary actions to stay safe.
Cyware Publisher

Publisher

Cyware