IBM Security Intelligence experts have reported that former members of the Conti ransomware group have joined forces with representatives of FIN7 to spread a new family of Domino malware. This malware consists of two components: a backdoor and Domino Loader, written in Visual C++ and injecting a DLL into the memory of another process designed to steal information. Since the fall of 2022, IBM researchers have been tracking attacks using Dave Loader, which is associated with former Conti and TrickBot members. Recently, it was discovered that Dave Loader had begun distributing a new family of Domino malware, which is often a backdoor that then installs Domino Loader.
The Domino backdoor is a DLL that collects system information (running processes, usernames, computer names) and sends it to the attackers’ control server. It also receives commands from its operators and additional payloads to install. The backdoor downloads an additional Domino Loader that installs a data-stealing .NET malware called the Nemesis Project. It can also install Cobalt Strike beacons to anchor in the system.
Project Nemesis is a standard information stealing malware that can steal credentials stored in browsers and apps, cryptocurrency wallets, and browser history. Experts associate the Domino family with the FIN7 grouping due to noticeable similarities in code with the Lizar post-exploitation toolkit (aka Tirion and DiceLoader). In addition, IBM discovered that the NewWorldOrder loader, commonly used in FIN7 Carbanak attacks, was recently used to spread Domino.
The result is that Dave Loader (associated with TrickBot/Conti) distributes Domino malware (associated with FIN7), which in turn deploys Project Nemesis or Cobalt Strike beacons in victims’ systems. This activity is associated with the activity of former extortionists from the Conti group.
It is noted that the boundaries between malware developers and ransomware groups have become so blurred that it makes it difficult to detect differences and attribute certain campaigns.