Domino Malware Detection: Ex-Conti and FIN7 Threat Actors Collaborate to Spread a New Backdoor

Cybersecurity researchers have uncovered a new malware family called Domino attributed to the adversary activity of the financially motivated russia-backed FIN7 APT group. Cyber defenders also link the use of Domino with another former hacking group known as Trickbot aka Conti, which has been applied in the malicious campaign by the latter threat actors since at least February 2023 to spread the Project Nemesis info-stealing malware or even more advanced backdoors like CobaltStrike.

Detecting Domino Attacks

Financially-motivated threat actors frequently cooperate with other hacking collectives to increase their gains by leveraging additional malware distribution channels. The most recent inquiry reveals the partnership between Conti and FIN7 groups to deliver Domino backdoor and proceed with Project Nemesis infostealer infection. To detect the malicious activity tied with the latest Domino malware operations, SOC Prime Platform provides a curated Sigma rule by our keen Threat Bounty developer Mise:

Possible FIN7 Threat Group [Ex-Conti] Campaign with Domino Backdoor by Detecting Associated Files (via file_event)

This rule detects suspicious .dll and .exe files associated with the newly detected Domino Backdoor in the FIN7 campaign. The detection is compatible with 21 SIEM, EDR, XDR, and BDP solutions and aligned with the MITRE ATT&CK framework v12, addressing the Execution tactic with User Execution (T1204) as the corresponding technique. 

Cybersecurity enthusiasts seeking a way to monetize their threat hunting and detection engineering skills are welcome to join SOC Prime Threat Bounty Program for cyber defenders. Share your own Sigma rules, get them verified and published to SOC Prime’s Platform, and receive recurring payouts for your contribution.  

Due to the constantly increasing amount of financially-motivated attacks, organizations are looking for a reliable source of detection content to proactively detect possible intrusions. By clicking the Explore Detections button below, defenders can immediately reach the entire list of Sigma rules helping to identify the malicious activity associated with the Conti group. All detection algorithms are enriched with CTI, ATT&CK links, executable binaries, and more relevant metadata for simplified threat investigation. 

Explore Detections

Analysis of the Domino Backdoor Linked to FIN7 & Ex-Conti Groups

A novel malware dubbed Domino backdoor and attributed to the notorious FIN7 hacking collective has also been leveraged by the ex-members of the Conti ransomware gang, which points to the collaboration between these two russia-linked offensive forces. 

The new malware collects basic system information, sends data to the C2 server, and delivers other payloads on the compromised systems, including infostealers used for data exfiltration. The backdoor has been in the spotlight in the cyber threat arena since at least mid-fall 2022. Domino’s code, including the configuration structure, bot ID formats, and key capabilities, has a lot in common with Lizar (aka Tirion or DICELOADER malware), which was also earlier linked to the FIN7 hacking collective. 

According to the IBM Security X-Force researchers, Lizar malware was later replaced by Domino, which held a leading position in the latest cyber attacks. Since late winter 2023, threat actors have been loading the Domino backdoor using Dave Loader, attributed to the Trickbot, aka Conti group, and its former affiliates. Dave Loader was observed earlier in malicious campaigns as a means to load other malware samples, like IcedID and Emotet, and served as initial access vectors for ransomware operations by ex-Conti members. In addition, the Project Nemesis info-stealing malware, which is considered one Domino’s final payloads, has been actively advertised on hacking forums for over two years. 

Domino backdoor is a 64-bit DLL developed in Visual C++ programming language. Once executed, the malware spreads infection by creating a Bot ID for the compromised system by retrieving the username and hostname and generating a hash of the received data, to which the backdoor further appends its current process ID. Afterward, the malware decrypts the configuration block via XOR and creates a random 32-byte key, which is encrypted via the RSA key. Upon successfully connecting to the C2 server, Domino backdoor further attempts to collect the basic system data, encrypt it, and send it to the remote server. As a result, the malware expects to receive from C2 the decrypted payload, which it further decrypts, loads, and executes to spread the infection further. 

Growing volumes and sophistication of the financially-motivated attacks require ultra-responsiveness from cyber defenders. Rely on SOC Prime to be fully equipped with detection content addressing the latest malware threats. Learn more about new and emerging threats at  https://socprime.com/ and reach those tailored to the threat profile of your organization with On Demand subscription at https://my.socprime.com/pricing.