A new malware family, called Domino, has been observed in attacks since late February that deliver either information stealers or backdoors such as Cobalt Strike.
Researchers with IBM Security's X-Force team believe that the malware is being deployed by former members of the Conti ransomware group, and has been developed by the FIN7 cybercriminal gang, indicating “at least some level of collaboration between the two groups.” Researchers said that because their intel was derived from analyzing samples of the malware, they do not have additional information on the targeting or victimology of related campaigns; however, they do know that Domino has been loaded by the Dave loader (previously used by Conti group) and has been used to deliver final payloads like the Project Nemesis infostealer, which was first advertised on the dark web in 2021.
“Recently observed Dave samples were discovered loading a new malware, which we have named Domino Backdoor,” said Charlotte Hammond and Ole Villadsen, researchers with IBM Security X-Force, in a Friday analysis. “This new backdoor gathers basic system information, which it then sends to the C2, and in return receives an AES encrypted payload.”
While the Domino malware has been active in the wild since at least October, starting in February researchers observed the Dave loader-Domino backdoor campaign, indicating an association with the former members of the Conti and Trickbot syndicate. Conti shut down its operations last year, but many of the syndicate’s tools - including the Dave loader - have continued to be maintained and used by former members. The Dave loader has previously been observed in a number of campaigns that deploy IcedID and Emotet, for instance.
Researchers believe the malware was created by developers associated with the FIN7 cybercriminal group, known for using software supply chain compromise and stolen credentials in order to launch data theft extortion or ransomware attacks. This is in part because Domino has similarities to the Lizar malware family, FIN7’s reconnaissance toolset that contains several components including a loader and a number of modules/ plugins. In addition to code overlaps, Domino uses similar API calls, generates system IDs in similar manners and has the same loader configuration structure as Lizar. The Domino backdoor also incorporates elements that appear in some of the plugins used by Lizar, said researchers.
After the Domino backdoor is deployed, it executes a second loader payload that contains an encrypted .NET binary. The encrypted payload is a .NET infostealer called Project Nemesis, which collects data from the target device’s browsers and applications. In some cases, “the Domino Backdoor is designed to contact a different C2 address for domain-joined systems, suggesting a more capable backdoor, such as Cobalt Strike, will be downloaded on higher value targets instead of Project Nemesis,” said researchers.
The analysis is another example of the delicate relationships between cybercriminal groups and their members. As the threat landscape is becoming more fluid - with threat actors partnering together, shutting down or rebranding, relying on affiliate models and branching out with malware-as-a-service offerings - it often complicates analysis for security researchers.
“The use of malware with ties to multiple groups in a single campaign — such as Dave Loader, Domino Backdoor and Project Nemesis Infostealer — highlights the complexity involved in tracking threat actors but also provides insight into how and with whom they operate,” said researchers.