Ex-Conti ransomware members have teamed up with the FIN7 menace actors to distribute a brand new malware household named ‘Domino’ in assaults on company networks.

Domino is a comparatively new malware household consisting of two elements, a backdoor named ‘Domino Backdoor,’ which in flip drops a ‘Domino Loader’ that injects an info-stealing malware DLL into the reminiscence of one other course of.

IBM’s Safety Intelligence researchers have been monitoring ex-Conti and TrickBot members using the brand new malware in assaults since February 2023.

Nonetheless, a new IBM report launched Friday hyperlinks the precise growth of the Domino malware to the FIN7 hacking group — a cybercriminal outfit linked to quite a lot of malware, and the BlackBasta and DarkSide ransomware operations.

The Domino Malware assaults

Because the fall of 2022, IBM researchers have been monitoring assaults utilizing a malware loader named ‘Dave Loader’ that’s linked to former Conti ransomware and TrickBot members.

This loader was seen deploying Cobalt Strike beacons that make the most of a ‘206546002’ watermark, noticed in assaults from by ex-Conti members within the Royal and Play ransomware operations.

IBM says Dave Loader has additionally been seen deploying Emotet, which was used virtually exclusively by the Conti ransomware operation in June 2022, after which later by the BlackBasta and Quantum ransomware gangs.

Nonetheless, extra lately, IBM says they’ve seen Dave Loader putting in the brand new Domino malware household.

Mostly, Dave Loader would drop ‘Domino Backdoor,’ which might then set up ‘Domino Loader.’

Domino Backdoor is a 64-bit DLL that can enumerate system data, comparable to working processes, usernames, laptop names, and ship it again to the attacker’s Command and Management server. The backdoor additionally receives instructions to execute or additional payloads to put in.

The backdoor was seen downloading a further loader, Domino Loader, that installs an embedded .NET info-stealer known as ‘Nemesis Venture.’ It may well additionally plant a Cobalt Strike beacon, for better persistence.

“The Domino Backdoor is designed to contact a special C2 deal with for domain-joined techniques, suggesting a extra succesful backdoor, comparable to Cobalt Strike, can be downloaded on increased worth targets as a substitute of Venture Nemesis,” explains the IBM researchers Charlotte Hammond and Ole Villadsen.

Venture Nemesis is an ordinary information-stealing malware that may acquire credentials saved in browsers and purposes, cryptocurrency wallets, and browser historical past.

Ex-Conti members crew up with FIN7

Menace actors, particularly those that make the most of ransomware, generally companion with different menace teams to distribute malware and for preliminary entry to company networks.

For instance, TrickBot, Emotet, BazarBackdoor, and QBot (QakBot) have a protracted historical past of providing initial access to ransomware operations, comparable to REvil, Maze, Egregor, BlackBasta, Ryuk, and Conti.

Over time, the strains between the malware builders and the ransomware gangs have grown murky, making distinguishing between the 2 operations arduous.

With the formation of the Conti cybercrime syndicate, these strains pale much more because the ransomware operation assumed control of both TrickBot and BazarBackdoor’s growth for their very own operations.

Moreover, after Conti shut down, the ransomware operation splintered into smaller cells, with members shifting everywhere in the ransomware area, together with Royal, Play, Quantum/Zeon/Dagon, BlackBasta, LockBit, and extra.

IBM has attributed the Domino malware household to FIN7 because of quite a lot of code overlap with Lizar (aka Tirion and DiceLoader), a post-exploitation toolkit related to FIN7.

Moreover, IBM discovered {that a} loader named ‘NewWorldOrder,’ usually utilized in FIN7’s Carbanak assaults, was lately used to push the Domino malware.

So, in a complicated three way partnership, we now have Dave Loader (TrickBot/Conti) pushing the Domino (FIN7) malware, which in flip deploys Venture Nemesis or Cobalt Strike beacons believed to be related to ex-Conti member ransomware exercise.

Because of this defenders need to take care of a complicated net of menace actors, all with malware permitting distant entry to networks.