Reseaechers found that the former members of the Conti ransomware group are using the FIN7 group developed Domino tool in their attack.
Domino malware is used to drop either the Cobalt Strike post-exploit toolkit on domain-joined computers or an information stealer called “Project Nemesis” on individual systems.
Here in this campaign, threat actors used a Conti loader known as Dave to drop FIN7’s Domino backdoor. The backdoor collects the basic information about the host system and sends it to C2.
The C2, in turn, returned an AES-encrypted payload to the compromised system. The encrypted payload was another loader with multiple code similarities to the initial Domino backdoor. The attack chain was completed when the Domino loader installed either Cobalt Strike or the Project Nemesis infostealer on the compromised system.
Researchers identified Domino as FIN7 malware last year after observing several code similarities between it and DiceLoader, a malware family they had previously already attributed to FIN7. Both Domino and DiceLoader have similar coding styles and functionality, a similar configuration structure, and use the same formats for bot identification. Enough evidence is found linking Domino to the Carbanak banking Trojan, which has also previously been associated with FIN7.
The use of the malware by former Conti group members highlights the intricate nature of cooperation among cybercriminal groups and their members.
The new campaign of FIN7 continues the threat group’s efforts to broaden its footprint. FIN7 surfaced in stealing and selling payment-card data. Later, the group was involved in ransomware attacks and malware distribution for other threat groups. After focusing mainly on retail and hospitality-sector organizations, the threat actor has broadened its target list to organizations in multiple other sectors, including defense, transportation, IT servers, financial services, and utilities.
This research was documented by researchers from IBM XForce