There’s a new ransomware gang in town, stitched together from members of well known threat creators to push a new kind of malware focused on punishing unwary organisations. The malware family, called “Domino”, is the brainchild of FIN7 and ex-Conti ransomware members.
Domino has been seen in attacks since at least February 2023 according to researchers at IBM Security Intelligence. Domino is being used to further the spread of backdoors like Cobalt Strike and information stealers such as Project nemesis.
This specific group has previously been seen making use of a malware loader called “Dave Loader”, serving up a variety of well known files like IcedID (a modular banking trojan) and the infamous Emotet. The latter, another banking trojan which branched out into delivering additional malware files, was most recently seen in an IRS themed spam campaign. As the IBM researchers note, both of these are often used as a starting point for ransomware attacks.
Recently, the Dave Loader attacks have been observed including what has now come to be known as Domino files, and the Domino Backdoor in particular. Along with gathering “basic system information”, it receives an encrypted payload once the initial system data has been sent to the command and control center.
The file placed on the target PC was found to be similar enough to the original Domino Backdoor that it’s been named the Domino Loader. This Loader drops a payload called Nemesis Project, a .NET infostealer.
This “project” stealer has been around for a couple of years now, and tries to grab data from numerous browsers and applications including gaming platforms, VPNs, and cryptocurrency wallets. The researchers note that the stealer in question was originally advertised on forums with a sale price of $1,300 and in terms of data theft, the author of the file has this to say:
- Collection of data from Chromium browsers (passwords, cookies, bookmarks, history)
- Collection of data from Gecko browsers (cookies, passwords, history)
- Grabbing links from the desktop
- Collection of system information in HTML format
- Telegram sessions
- Collection of Discord tokens
It can also be set to block startup inside of a virtual machine (often used to test malware files), lock the startup if found to be running in a CIS country, and self-delete after sending the stolen data. Alongside all of this, Nemesis comes with a control panel, operated online, where the data can be accessed. All in all, it’s not something you’d want lurking on your network.
Bleeping Computer highlights that many ransomware groups and malware authors often work together, as it’s frequently an easier way to get a head start on compromising a network. The constant mashing up of files and intrusion tactics makes it harder for organisations to get to grips with the latest wave of attacks and also keeps security researchers on their toes. This current campaign is, sadly, no different.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
