Novel Domino malware from FIN7, ex-Conti members emerges

Attacks with the novel Domino malware developed by the FIN7 hacking group and former members of the now-defunct Conti ransomware operation have been targeting corporate networks since February, BleepingComputer reports. IBM researchers discovered that the Domino malware family has been distributed using the "Dave Loader" malware loader previously used for Emotet deployment. Such a loader would drop the "Domino Backdoor," which would then prompt the installation of the "Domino Loader" that would then plant the .NET information stealer "Nemesis Project" and a Cobalt Strike beacon. "The Domino Backdoor is designed to contact a different C2 address for domain-joined systems, suggesting a more capable backdoor, such as Cobalt Strike, will be downloaded on higher value targets instead of Project Nemesis," said IBM researchers Charlotte Hammond and Ole Villadsen. Significant overlaps between Domino and the Lizar post-exploitation toolkit, also known as Tirion and DiceLoader, have prompted the new malware's attribution to FIN7. Domino malware was also found to have been deployed through the "NewWorldOrder" loader also used in FIN7 attacks.