Ex-Conti members and FIN7 devs team up to push new Domino malware

Ex-Conti ransomware members have teamed up with the FIN7 threat actors to distribute a new malware family named 'Domino' in attacks on corporate networks.

Domino is a relatively new malware family consisting of two components, a backdoor named 'Domino Backdoor,' which in turn drops a 'Domino Loader' that injects an info-stealing malware DLL into the memory of another process.

IBM's Security Intelligence researchers have been tracking ex-Conti and TrickBot members utilizing the new malware in attacks since February 2023.

However, a new IBM report released Friday links the actual development of the Domino malware to the FIN7 hacking group — a cybercriminal outfit linked to a variety of malware, and the BlackBasta and DarkSide ransomware operations.

It should be noted that this new malware is unrelated to the HCL Domino (formerly IBM Domino) product.

The Domino Malware attacks

Since the fall of 2022, IBM researchers have been tracking attacks using a malware loader named 'Dave Loader' that is linked to former Conti ransomware and TrickBot members.

This loader was seen deploying Cobalt Strike beacons that utilize a '206546002' watermark, observed in attacks from by ex-Conti members in the Royal and Play ransomware operations.

IBM says Dave Loader has also been seen deploying Emotet, which was used almost exclusively by the Conti ransomware operation in June 2022, and then later by the BlackBasta and Quantum ransomware gangs.

However, more recently, IBM says they have seen Dave Loader installing the new Domino malware family.

Most commonly, Dave Loader would drop 'Domino Backdoor,' which would then install 'Domino Loader.'

Domino Backdoor is a 64-bit DLL that will enumerate system information, such as running processes, usernames, computer names, and send it back to the attacker's Command and Control server. The backdoor also receives commands to execute or further payloads to install.

The backdoor was seen downloading an additional loader, Domino Loader, that installs an embedded .NET info-stealer called 'Nemesis Project.' It can also plant a Cobalt Strike beacon, for greater persistence.

"The Domino Backdoor is designed to contact a different C2 address for domain-joined systems, suggesting a more capable backdoor, such as Cobalt Strike, will be downloaded on higher value targets instead of Project Nemesis," explains the IBM researchers Charlotte Hammond and Ole Villadsen.

Project Nemesis is a standard information-stealing malware that can collect credentials stored in browsers and applications, cryptocurrency wallets, and browser history.

Ex-Conti members team up with FIN7

Threat actors, especially those who utilize ransomware, commonly partner with other threat groups to distribute malware and for initial access to corporate networks.

For example, TrickBot, Emotet, BazarBackdoor, and QBot (QakBot) have a long history of providing initial access to ransomware operations, such as REvil, Maze, Egregor, BlackBasta, Ryuk, and Conti.

Over time, the lines between the malware developers and the ransomware gangs have grown murky, making distinguishing between the two operations hard.

With the formation of the Conti cybercrime syndicate, these lines faded even more as the ransomware operation assumed control of both TrickBot and BazarBackdoor's development for their own operations.

Furthermore, after Conti shut down, the ransomware operation splintered into smaller cells, with members moving all over the ransomware space, including Royal, Play, Quantum/Zeon/Dagon, BlackBasta, LockBit, and more.

IBM has attributed the Domino malware family to FIN7 due to a great deal of code overlap with Lizar (aka Tirion and DiceLoader), a post-exploitation toolkit associated with FIN7.

Furthermore, IBM found that a loader named 'NewWorldOrder,' normally used in FIN7's Carbanak attacks, was recently used to push the Domino malware.

So, in a confusing joint venture, we have Dave Loader (TrickBot/Conti) pushing the Domino (FIN7) malware, which in turn deploys Project Nemesis or Cobalt Strike beacons believed to be associated with ex-Conti member ransomware activity.

This means that defenders have to deal with a confusing web of threat actors, all with malware allowing remote access to networks.