Heimdal
article featured image

Contents:

Researchers recently discovered a new malware family named “Domino”, allegedly created by ITG14, also known as the FIN7 threat group. Reportedly, ex-Conti hackers have been using it since at least February 2023 to spread Project Nemesis info stealer or Cobalt Strike. Due to massive code overlap with the Lizar post-exploitation toolkit, researchers also attributed the new Domino malware to FIN7.

According to cybersecurity experts, hackers have been using the ”Dave Loader” malware loader for their attacks since the end of 2022.

Domino Malware Attacks Explained

The Domino malware family has two components, a backdoor and the loader that injects an info-stealing malware DLL into the memory of another process.

The loader is linked to ex-TrickBot and ex-Conti ransomware members and was seen deploying Cobalt Strike beacons that utilize a ‘206546002’ watermark. The same watermark was previously seen in the Royal and Play ransomware operations.

Previously, the Dave Loader also deployed Emotet, used in the Conti ransomware operation in June 2022, and by the BlackBasta and Quantum ransomware gangs.

Here are the steps of action that follow accessing a malicious link – phishing, malvertising, etc.:

  • Dave Loader drops Domino Backdoor, which is a 64-bit DLL that will enumerate system information. The data about running processes, usernames, and computer names is sent further to the attacker’s command-and-control server. Domino Backdoor also receives commands to execute or payloads to install.
  • Domino Backdoor installs Domino Loader. Then the loader installs Nemesis Project, an embedded .NET info-stealer that can collect credentials stored in browsers and apps, cryptocurrency wallets, and browser history. To enhance persistence, Domino Loader can also plant a Cobalt Strike beacon.

Source

Researchers also found that another loader named ”NewWorldOrder” is used to deploy the Domino malware. The loader was frequently observed in FIN7’s Carbanak attacks.

Source

How to Keep Safe from Domino Malware

Just like roughly 91% of online threats, Domino Malware also leverages DNS security gaps to breach corporate systems. The malware is reportedly deployed on previously compromised endpoints and uses DNS to send stolen data to its C&C server.

In this case, DNS filtering, which blocks any malicious domains spotted, can prevent threat actors from entering a system. If hackers use new domains, that are not known to be malicious yet, for their attack, predictive DNS technology is the only solution that can keep a company`s endpoints safe.

And if you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE