FIN7, Former Conti Gang Members Collaborate on Domino Malware

  /     /     /  
Publicated : 23/11/2024   Category : security


FIN7, Former Conti Gang Members Collaborate on Domino Malware


Members of the former ransomware group are using a FIN7 backdoor to deliver malware —including Cobalt Strike — to victim systems.



Former members of the Conti ransomware group are compromising systems for follow-up exploits using malware that the financially motivated FIN7 group developed; FIN7 has used the Domino tool in its own attacks since at least last October.
The campaign is the latest example to show how different threat groups with distinct motives and techniques often work together to achieve their separate goals, and to broaden their individual operations in the cybercrime economy.
IBM Security X-Force recently observed threat actors who used to be part of the Conti group using FIN7s Domino malware to drop either the Cobalt Strike post-exploit toolkit on domain-joined computers, or an information stealer called Project Nemesis on individual systems.
X-Force researchers determined
 that the Conti threat actors (
the gang disbanded last May
) began using Domino in February, which was about four months after FIN7 first began using the malware last October. 
In the campaign the threat actors used a Conti loader called Dave to drop FIN7s Domino backdoor. The backdoor collected basic information about the host system and sent it to an external command-and-control server (C2). The C2, in turn, returned an AES-encrypted payload to the compromised system. The encrypted payload in many cases was another loader with multiple code similarities to the initial Domino backdoor. The attack chain was completed when the Domino loader installed either Cobalt Strike or the Project Nemesis infostealer on the compromised system.
The Domino backdoor is designed to contact a different C2 address for domain-joined systems, suggesting a more capable backdoor, such as Cobalt Strike, will be downloaded on higher value targets instead of Project Nemesis, IBM Security malware reverse engineer Charlotte Hammond wrote in an analysis on the campaign.
IBM X-Force researchers first identified Domino as FIN7 malware last year after observing several code similarities between it and Lizar (aka DiceLoader or Tirion), a malware family they had previously already attributed to FIN7. Both Domino and DiceLoader have similar coding styles and functionality, a similar configuration structure, and use the same formats for bot identification. X-Force researchers also found evidence linking Domino to the Carbanak banking Trojan, which researchers have also previously associated with FIN7.
The use of the malware by former Conti group members highlights the intricate nature of cooperation among cybercriminal groups and their members, Hammond said. Security analysts have noted how such collaborations can pose a significant threat to organizations and individuals because they often enable more sophisticated and successful attacks than would be possible as separate entities.
For FIN7, the new campaign continues the threat groups efforts to broaden its footprint. FIN7 surfaced in 2012 and cut its teeth stealing and selling payment-card data — an activity that garnered it hundreds of millions of dollars. Over the years the group
expanded into the ransomware ecosystem,
and also made money from enabling ransomware attacks and malware distribution for other threat groups. After focusing mainly on retail and hospitality-sector organizations, the threat actor has broadened its target list to organizations in multiple other sectors, including defense, transportation, IT servers, financial services, and utilities. 
Security researchers estimate the threat actor has stolen well over $1.2 billion from victims since it first surfaced.
Researchers at Mandiant last year were able to
tie Fin7 to dozens of previously unattributed threat activity clusters
based on similarities in tactics, techniques, and procedures (TTPs) between them. Among them were at least one dozen intrusions at Mandiant customer locations since 2020 alone. US law enforcement authorities have tried disrupting FIN7 activities multiple times and even managed to send a
high-level group admin to prison
back in 2018. So far though, attempts to stop the group have failed.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
FIN7, Former Conti Gang Members Collaborate on Domino Malware