IBM’s X-Force security department has discovered a new malware family called Domino. This malware is suspected to be created by current or former FIN7 developers. Members of the Conti/Trickbot cybergang have been using Domino since the end of February to distribute an infostealer called Project Nemesis or more extensive backdoors such as Cobalt Strike on victim systems.
The IT researchers observed that the campaigns that installed the Domino backdoor have been using the so-called Dave Loader since the end of February. He was assigned to the Trickbot/Conti syndicate and its former members. Domino’s code shows overlaps with the Lizar malware, also known as Tirion or Diceloader, leading researchers to suspect that it was created by current or former FIN7 developers.
Former Conti members are likely behind recent malware campaigns that use the Dave Loader to download the Domino backdoor. This is probably due to a collaboration with current or former FIN7 programmers to buy or use the new malware family.
The Dave Loader, recently used with several Cobal Strike samples and a specific watermark, could be traced back to groups with ex-Conti members like Quantum and Royal. Cobalt Strike samples with the concrete watermark loaded with the Dave Loader have been observed by IBM X-Force in attacks by the Royal cybergang since autumn 2022.
The ties to FIN7 are evident from overlapping code shared by the Domino backdoor and loaders with the Lizar malware, which is attributable to the cybergang. In addition to similarities in programming style and functionality, Domino and Dice-Loader shared the same configuration structure and bot ID formats.
Although IP addresses are not sufficient for a secure assignment, they show a certain consistency of the results. FIN7 and Conti have also worked together before. According to Hammond, IT researchers observed attacks with the Ryuk ransomware from FIN7 as early as 2020, which is assigned to the Trickbot/Conti syndicate.
The tangled links offer opportunities for cybercriminals. However, the result also shows how complex the tracking of cyber actors has become. In addition to these connections between the various cybercriminals, the blog post provides even more detailed analyzes of the malware samples and infection indicators (Indicators Of Compromise, IOCs) mentioned.
