Former members of the Conti ransomware group are compromising programs for follow-up exploits utilizing malware that the financially motivated FIN7 group developed; FIN7 has used the “Domino” device in its personal assaults since a minimum of final October.
The marketing campaign is the newest instance to point out how totally different menace teams with distinct motives and methods typically work collectively to attain their separate targets, and to broaden their particular person operations within the cybercrime economic system.
A Domino Impact
IBM Safety X-Power just lately noticed menace actors who was once a part of the Conti group utilizing FIN7’s Domino malware to drop both the Cobalt Strike post-exploit toolkit on domain-joined computer systems, or an info stealer referred to as “Undertaking Nemesis” on particular person programs.
X-Power researchers decided that the Conti menace actors (the gang disbanded final Could) started utilizing Domino in February, which was about 4 months after FIN7 first started utilizing the malware final October.
Within the marketing campaign the menace actors used a Conti loader referred to as “Dave” to drop FIN7’s Domino backdoor. The backdoor collected primary details about the host system and despatched it to an exterior command-and-control server (C2). The C2, in flip, returned an AES-encrypted payload to the compromised system. The encrypted payload in lots of circumstances was one other loader with a number of code similarities to the preliminary Domino backdoor. The assault chain was accomplished when the Domino loader put in both Cobalt Strike or the Undertaking Nemesis infostealer on the compromised system.
“The Domino backdoor is designed to contact a unique C2 handle for domain-joined programs, suggesting a extra succesful backdoor, equivalent to Cobalt Strike, shall be downloaded on greater worth targets as an alternative of Undertaking Nemesis,” IBM Safety malware reverse engineer Charlotte Hammond wrote in an evaluation on the marketing campaign.
IBM X-Power researchers first recognized Domino as FIN7 malware final yr after observing a number of code similarities between it and Lizar (aka DiceLoader or Tirion), a malware household that they had beforehand already attributed to FIN7. Each Domino and DiceLoader have related coding types and performance, an analogous configuration construction, and use the identical codecs for bot identification. X-Power researchers additionally discovered proof linking Domino to the Carbanak banking Trojan, which researchers have additionally beforehand related to FIN7.
Intricate Nature of Cooperation
Using the malware by former Conti group members “highlights the intricate nature of cooperation amongst cybercriminal teams and their members,” Hammond mentioned. Safety analysts have famous how such collaborations can pose a major menace to organizations and people as a result of they typically allow extra refined and profitable assaults than can be potential as separate entities.
For FIN7, the brand new marketing campaign continues the menace group’s efforts to broaden its footprint. FIN7 surfaced in 2012 and reduce its enamel stealing and promoting payment-card knowledge — an exercise that garnered it lots of of thousands and thousands of {dollars}. Over time the group expanded into the ransomware ecosystem, and likewise made cash from enabling ransomware assaults and malware distribution for different menace teams. After focusing primarily on retail and hospitality-sector organizations, the menace actor has broadened its goal record to organizations in a number of different sectors, together with protection, transportation, IT servers, monetary providers, and utilities.
Safety researchers estimate the menace actor has stolen nicely over $1.2 billion from victims because it first surfaced.
Researchers at Mandiant final yr had been capable of tie Fin7 to dozens of beforehand unattributed menace exercise clusters primarily based on similarities in techniques, methods, and procedures (TTPs) between them. Amongst them had been a minimum of one dozen intrusions at Mandiant buyer areas since 2020 alone. US regulation enforcement authorities have tried disrupting FIN7 actions a number of instances and even managed to ship a high-level group admin to jail again in 2018. Thus far although, makes an attempt to cease the group have failed.
