FIN7 and Ex-Conti Cybercrime Gangs Join Domino Malware Attack

April 17, 2023Ravie Lakshmanan

A new type of malware developed by a threat actor likely affiliated with cybercrime group FIN7 has been used by members of the now defunct Conti ransomware gang, suggesting a collaboration between the two crews.

Malware, dubbed Dominoesprimarily designed to facilitate advanced exploitation of compromised systems, including sending little-known information thieves that have been advertised for sale on the dark web since December 2021.

“Former members of the TrickBot/Conti syndicate (…) have been using Domino since at least late February 2023 to deliver Project Enemy information stealers or more capable backdoors like Cobalt Strike,” IBM Security X-Force security researcher Charlotte Hammond said in a report published last week.

FIN7, also called Carbanak and ITG14, is a well-known Russian-speaking cybercriminal syndicate that uses a specialized malware suite to spread additional malware and expand its monetization methods.

Recent analysis by Mandiant, SentinelOne and Google’s PRODAFT has revealed the group’s role as Maze’s precursor and Ryuk Ransomware attacks, not to mention exposing his connections to the Black Basta, DarkSide, REvil, and LockBit families.

The most recent wave of intrusions, discovered by IBM Security X-Force two months ago, involves the use of Dave Loadersa crypter previously associated with the Conti group (aka Gold Blackburn, ITG23, or Wizard Spider), to implement the Domino backdoor.

Domino’s potential connection to FIN7 stems from overlapping source code with DICELOADER (aka Lizar or Tirion), the time-tested malware family to which the group is associated. Malware, for its part, is designed to gather basic sensitive information and retrieve encrypted payloads from remote servers.

This next-stage artifact is a second loader codenamed Domino Loader, which houses an encrypted .NET information stealer called Project Nemesis capable of collecting sensitive data from clipboards, Discord, web browsers, crypto wallets, VPN services, and other applications.

“Domino has been active in the wild since at least October 2022, especially when Lizar’s observations started to decline,” Hammond said, suggesting that threat actors may end up stopping the latter.

Another important link that bridges Domino to FIN7 comes from December 2022 which makes use of another loader called NewWorldOrder Loader to bring Domino and Carbanak backdoors.

The Domino backdoor and loader – both 64-bit DLLs written in Visual C++ – are said to have been used to install Project Nemesis since at least October 2022, before being used by a former Conti member earlier this year.

The use of thieving malware by ransomware distributors is not without precedent. In November 2022, Microsoft disclosed an intrusion installed by a threat actor known as DEV-0569 that leverages BATLOADER malware to deliver Vidar and Cobalt Strike, the latter ultimately facilitating the human-operated ransomware attack that distributed the Royal ransomware.

This increases the likelihood that information thieves are deployed during lower priority infections (eg, personal computers), while belonging to Active Directory domains served with Cobalt Strike.

“The use of malware associated with multiple groups in a single campaign — such as Dave Loader, Domino Backdoor, and Project Nemesis Infostealer — highlights the complexities involved in tracking threat actors, but also provides insight into how and with whom they operate,” concluded Hammond. .