A new strain of malware developed by attackers with ties to the FIN7 cybercriminal group was used by former members of the now-defunct Conti ransomware gang, indicating a collaboration between the two hacker groups.
Malicious software, dubbed Domino, is primarily intended to facilitate the subsequent exploitation of malicious software on compromised systems.
“Former members of the TrickBot/Conti syndicate have been using Domino since at least the end of February 2023 to deliver the Project Nemesis information thief or more powerful backdoors such as Cobalt Strike,” IBM Security X-Force security researcher said in the report.
FIN7, also known as Carbanak and ITG14, is a prolific Russian-speaking cybercriminal syndicate that uses a variety of custom malware to deploy various payloads.
The latest wave of intrusions detected by IBM Security X-Force two months ago involved the use of the Dave Loader to deploy the Domino backdoor.
Potential links between Domino and FIN7 lie in the coincidence of the source code of the new malware with DICELOADER (aka Lizar or Tirion), which is attributed to the FIN7 group. This malware is designed to collect sensitive information and extract encrypted payloads from a remote attacker's server.
In the next stage of the infection, the second loader, codenamed Domino, comes into play, which contains an encrypted information stealing program known as Project Nemesis, capable of collecting sensitive data from the clipboard, Discord, web browsers, crypto wallets, VPN services and other applications.
Another important event connecting Domino with FIN7 dates back to December last year, when the same loader, NewWorldOrder, was used to deliver both Domino and Carbanak backdoors.
This "matryoshka doll" of malware and downloaders used in this campaign is not some fundamentally new scheme. In November 2022, Microsoft Threat Intelligence reported cyberattacks orchestrated by an attacker known as DEV-0569. It used the BATLOADER malware to deliver Vidar and Cobalt Strike, the latter of which eventually contributed to the deployment of the Royal ransomware.
“The use of malware that is associated with multiple groups of attackers within a single campaign, such as Dave Loader, Domino Backdoor and Project Nemesis Infostealer, highlights the difficulty of tracking down cybercriminals, but also provides insight into how and with whom they cooperate,” — concluded the IBM Security researcher.