Ex-Conti Members and FIN7 Devs Team Up to Push New Domino Malware
Former Members of the Conti ransomware group have collaborated with FIN7 threat actors to spread a fresh kind of malware called ‘Domino’ to target corporate networks. The Domino malware is a recent addition to the malware family and includes two parts: the Domino Backdoor and the Domino Loader. The backdoor is responsible for dropping the Domino Loader, which then injects a malicious DLL into the memory of another process to extract confidential information. IBM’s Security Intelligence team has been monitoring the usage of Domino malware by former members of the Conti and TrickBot groups in attacks since February 2023. Nevertheless, a recent IBM report published on Friday reveals that the development of Domino malware is associated with the FIN7 hacking group. The cybercriminal organization is connected to a range of malware types, as well as BlackBasta and DarkSide ransomware operations.
“Since the fall of 2022, IBM researchers have been tracking attacks using a malware loader named 'Dave Loader' that is linked to former Conti ransomware and TrickBot members. This loader was seen deploying Cobalt Strike beacons that utilize a '206546002' watermark, observed in attacks from by ex-Conti members in the Royal and Play ransomware operations. IBM says Dave Loader has also been seen deploying Emotet, which was used almost exclusively by the Conti ransomware operation in June 2022, and then later by the BlackBasta and Quantum ransomware gangs. However, more recently, IBM says they have seen Dave Loader installing the new Domino malware family. Most commonly, Dave Loader would drop 'Domino Backdoor,' which would then install 'Domino Loader.' Domino Backdoor is a 64-bit DLL that will enumerate system information, such as running processes, usernames, computer names, and send it back to the attacker's Command and Control server. The backdoor also receives commands to execute or further payloads to install. The backdoor was seen downloading an additional loader, Domino Loader, that installs an embedded .NET info-stealer called 'Nemesis Project.' It can also plant a Cobalt Strike beacon, for greater persistence” (Bleeping Computer, 2023).
The Domino Backdoor has been developed to connect with a distinct command and control address for domain-joined systems. This indicates that a more sophisticated backdoor, such as Cobalt Strike, is more likely to be downloaded on higher-value targets instead of Project Nemesis. Project Nemesis is a common information-stealing malware that can gather various data, including login credentials saved in browsers and apps, cryptocurrency wallets, and browsing history.
Analyst comments:
Ransomware threat actors often team up with other groups to spread malware and gain entry to corporate networks. Several groups, including Trickbot and Qbot, have a history of providing initial access to ransomware operations. The line between malware developers and ransomware gangs has become blurred, making it difficult to differentiate between the two. The Conti cybercrime syndicate took over the development of TrickBot and BazarBackdoor, and after it disbanded, members formed smaller cells in the ransomware space. IBM linked the Domino malware family to FIN7 due to code overlap with Lizar, and the NewWorldOrder loader, typically used in FIN7’s Carbanak attacks, was recently employed to distribute the Domino malware. In a complicated collaboration between TrickBot/Conti and FIN7, the Dave Loader malware is used to distribute the Domino malware. Domino then deploys Project Nemesis or Cobalt Strike beacons associated with ex-Conti member ransomware operations. This creates a convoluted web of threat actors, all with malware that enables remote access to networks, making it challanging for defenders to combat them.
Mitigation:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.
Source:
https://www.bleepingcomputer.com/ne...fin7-devs-team-up-to-push-new-domino-malware/
https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/