HQ/EMEAFind out how we can help your business
A couple of months ago, researchers observed a new Domino backdoor malware attack campaign with ties to the Conti/TrickBot threat group. However, recent reports claimed that the FIN7 APT group used the malware to launch Cobalt Strike or their Project Nemesis infostealer.
Moreover, the ITG23 cybercriminal gang has also employed Dave Loader to load the Domino malware in its operations.
The malware developers coded the new Domino backdoor in C++.
According to investigations, the threat actors developed the new Domino backdoor in Visual C++ to harvest and exfiltrate basic system information to an attacker-controlled command-and-control server.
In some cases, the actors deployed the Domino Loader to launch the Domino backdoor in their first-stage attacks. The loader included an encrypted payload called Project Nemesis inside its resources for the final phase of the malicious operation.
This malware has been active in the wild since October last year and displays several overlaps with the Lizar (aka Tirion or DiceLoader) malware. Additionally, the Domino backdoor and loader have several similarities in their structures, coding styles, and bot ID formats with the Lizar malware. A researcher also discovered proof linking the Domino backdoor to Fin7’s Carbanak malware.
Domino generates a bot ID for the compromised system upon execution. This feature allowed its operators to monitor the infected systems while collecting the username and hostname of the target and developing a hash for the harvested data.
Project Nemesis infostealer is a commodity malware in a [.]net language. The malware could also gather data stored in Chromium-based browsers, such as credentials, cookies, bookmarks, history, autofill data, and credit card details.
The use of malware across different campaigns shows the deep connections between notorious cybercriminal organisations and former members. These incidents also highlight the sophisticated process of tracking and identifying threat actors.
Organisations and security teams should employ a competent threat intelligence infrastructure that could identify and recognise the nature and scope of such campaigns. These anti-malware solutions could also help researchers investigate new attempts that use new backdoors.
