Security researchers have linked a new malware, dubbed Domino Backdoor, to former members of the prolific Conti and FIN7 groups.
Domino Backdoor has been used to deploy infostealer malware using the same methodologies and code shared by the infamous groups, suggesting a dangerous new alliance.
IBM Security X-Force discovered Domino in the fall of 2022 and sounded the alarm when a February 2023 attack connected the new malware to ex-Conti members.
Domino Backdoor is a 64-bit dynamic-link library (DLL), comprising a previously undiscovered backdoor that can deliver further malicious payloads to infected systems.
Once executed on a machine, it determines the victim’s username and hostname, uses this information to produce a hash, and adds its own process ID.
It proceeds to decrypt its configuration block, which contains two IP addresses for its command and control (C2) server and an RSA public key.
The program then creates a 32-byte key at random which is then encrypted using the RSA key.
It then contacts its C2, using one IP address if the infected system is connected to a domain and the other if it is not, and begins to harvest and encrypt core system data.
The near and far future of ransomware business models
What would make ransomware actors change their criminal business models?
Researchers named the payload sent to Domino Backdoor after its C2 ‘Domino Loader’ due to the similarities between the two DLLs.
In a lab environment, it was observed to have decrypted and deployed its own payload using AES-256-CBC.
Both Domino Backdoor and Domino Loader were found to share code with Lizar, a malware that holds connections to the FIN7 cyber crime group, as well as use C2 addresses similar to others FIN7 has used for SSH-key-based backdoors.
Additionally, samples of Domino Backdoor from December 2022 were found to use the NewWorldOrder Loader, which FIN7 has previously used to load the Carbanak Backdoor malware.
Researchers also found evidence of Domino having been delivered using ‘Dave Loader’ which has primarily been used to deliver Conti in previous attacks.
Additionally from the report, the 2⃣ #SSH #backdoor #C2's used by #FIN7 previously also share an SSH key across 9⃣ additional servers:Previous FIN7: 94.158.247[.]23, 185.225.17[.]220Looks like all have SSH running on ports 22, 80 and 443. 🧐April 16, 2023
Domino Loader can be deployed in various ways depending on the value of a byte contained inside the payload.
The payload can be allocated memory within the process in which it runs, in its current process run, or loaded as a .NET assembly.
It was observed to have deployed ‘Project Nemesis’ in tests, an infostealer that exfiltrates data from victims’ devices and lets attackers access it through an online control panel.
This steals browser cookies, credentials, bookmarks, history, as well as cryptowallet data and information from applications such as Steam and Discord.
Project Nemesis has been observed in the wild as far back as December 2021.
IBM’s researchers said that Domino had been used to install Nemesis in October 2022, before its use by former Conti members, leading them to speculate that FIN7 members had given the ex-Conti actors Domino and Nemesis in a package deal.
Researchers speculated that as Domino Backdoor’s C2 communication allows for different packages depending on whether a system is connected to a domain, it could be used to deliver a more capable package such as Cobalt Strike for high-priority enterprise targets.
In its blog post, IBM Security X-Force noted that the malware’s activity log is mainly written in Russian.
Who are Conti and FIN7?
Conti was one of the most notorious cyber crime groups, credited with activity such as the widespread ransomware attack on Costa Rica’s government.
In February 2022, the group fractured around its pro-Russian sentiment in the face of Russia’s invasion of Ukraine, and data from the gang was leaked online.
The apparent demise of the group led to a worldwide decline in ransomware activity in Q3 2022, but other groups such as LockBit capitalised on the gap Conti left, and former members of the group are believed to have flocked to new strains such as Black Basta.
FIN7 is tracked by IBM Security X-Force as ITG14, and has been linked to Carbanak malware attacks and groups such as ALPHV.
A joint task force arrested three FIN7 members in 2018, on allegations of targeting more than one hundred American companies with malware and stealing sensitive customer information for profit.
Sentences of ten and seven years were given to two of the men.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at email@example.com or on LinkedIn.