Security researchers have linked a new malware, dubbed Domino Backdoor, to former members of the prolific Conti and FIN7 groups.
Domino Backdoor has been used to deploy infostealer malware using the same methodologies and code shared by the infamous groups, suggesting a dangerous new alliance.
IBM Security X-Force discovered Domino in the fall of 2022 and sounded the alarm when a February 2023 attack connected the new malware to ex-Conti members.
Domino Backdoor is a 64-bit dynamic-link library (DLL), comprising a previously undiscovered backdoor that can deliver further malicious payloads to infected systems.
Once executed on a machine, it determines the victim’s username and hostname, uses this information to produce a hash, and adds its own process ID.
It proceeds to decrypt its configuration block, which contains two IP addresses for its command and control (C2) server and an RSA public key.
The program then creates a 32-byte key at random which is then encrypted using the RSA key.
It then contacts its C2, using one IP address if the infected system is connected to a domain and the other if it is not, and begins to harvest and encrypt core system data.
RELATED RESOURCE
The near and far future of ransomware business models
What would make ransomware actors change their criminal business models?
Researchers named the payload sent to Domino Backdoor after its C2 ‘Domino Loader’ due to the similarities between the two DLLs.
In a lab environment, it was observed to have decrypted and deployed its own payload using AES-256-CBC.
Both Domino Backdoor and Domino Loader were found to share code with Lizar, a malware that holds connections to the FIN7 cyber crime group, as well as use C2 addresses similar to others FIN7 has used for SSH-key-based backdoors.
Additionally, samples of Domino Backdoor from December 2022 were found to use the NewWorldOrder Loader, which FIN7 has previously used to load the Carbanak Backdoor malware.
Researchers also found evidence of Domino having been delivered using ‘Dave Loader’ which has primarily been used to deliver Conti in previous attacks.
Additionally from the report, the 2⃣ #SSH #backdoor #C2's used by #FIN7 previously also share an SSH key across 9⃣ additional servers:Previous FIN7: 94.158.247[.]23, 185.225.17[.]220Looks like all have SSH running on ports 22, 80 and 443. 🧐April 16, 2023
Domino Loader can be deployed in various ways depending on the value of a byte contained inside the payload.
The payload can be allocated memory within the process in which it runs, in its current process run, or loaded as a .NET assembly.
It was observed to have deployed ‘Project Nemesis’ in tests, an infostealer that exfiltrates data from victims’ devices and lets attackers access it through an online control panel.
This steals browser cookies, credentials, bookmarks, history, as well as cryptowallet data and information from applications such as Steam and Discord.
Project Nemesis has been observed in the wild as far back as December 2021.
IBM’s researchers said that Domino had been used to install Nemesis in October 2022, before its use by former Conti members, leading them to speculate that FIN7 members had given the ex-Conti actors Domino and Nemesis in a package deal.
Researchers speculated that as Domino Backdoor’s C2 communication allows for different packages depending on whether a system is connected to a domain, it could be used to deliver a more capable package such as Cobalt Strike for high-priority enterprise targets.
In its blog post, IBM Security X-Force noted that the malware’s activity log is mainly written in Russian.
Who are Conti and FIN7?
Conti was one of the most notorious cyber crime groups, credited with activity such as the widespread ransomware attack on Costa Rica’s government.
In February 2022, the group fractured around its pro-Russian sentiment in the face of Russia’s invasion of Ukraine, and data from the gang was leaked online.
The apparent demise of the group led to a worldwide decline in ransomware activity in Q3 2022, but other groups such as LockBit capitalised on the gap Conti left, and former members of the group are believed to have flocked to new strains such as Black Basta.
FIN7 is tracked by IBM Security X-Force as ITG14, and has been linked to Carbanak malware attacks and groups such as ALPHV.
A joint task force arrested three FIN7 members in 2018, on allegations of targeting more than one hundred American companies with malware and stealing sensitive customer information for profit.
Sentences of ten and seven years were given to two of the men.
-
Global cybersecurity spending is set to rise 12% in 2025 – here are the industries ramping up investmentNews Global cybersecurity spending is expected to surge this year, fueled by escalating state-sponsored threats and the rise of generative AI, according to new analysis from IDC.
-
Google Cloud is leaning on all its strengths to support enterprise AIAnalysis Google Cloud made a big statement at its annual conference last week, staking its claim as the go-to provider for enterprise AI adoption.
-
Rising data breach costs show no signs of slowing down, says IBMNews Data breach costs continued to rise, according to IBM, and they’re taking longer to recover from
-
Nearly 70 software vendors sign up to CISA’s cyber resilience programNews Major software manufacturers pledge to a voluntary framework aimed at boosting cyber resilience of customers across the US
-
IBM: Data governance for data-driven organizationswhitepaper Master your data management
-
KuppingerCole leadership compass report - Unified endpoint management (UEM) 2023Whitepaper Get an updated overview of vendors and their product offerings in the UEM market.
-
Definitive guide to ransomware 2023Whitepaper A guide to help rethink your defence against ransomware threats
-
IBM LinuxONE for dummiesWhitepaper Secure your data, build an open hybrid cloud environment, and realise the cost benefits of consolidation
-
Magic quadrant for application performance monitoring and observabilityWhitepaper Enabling continuous updating of diverse & dynamic application environments
-
Database and big data securityWhitepaper KuppingerCole 2021 Leadership Compass Report
