"New Domino Backdoor Malware Linked to Ex-Conti, FIN7 Criminals"

Domino Backdoor is a new malware linked by security researchers to former members of the prolific Conti and FIN7 groups. It has been used to launch information-stealing malware, which involves the same techniques and source code as the infamous groups, indicating the formation of a new and dangerous alliance. IBM Security X-Force found Domino in the fall of 2022 and raised the alarm when an attack in February 2023 linked the new malware to former members of the Conti. Domino Backdoor is a 64-bit Dynamic-Link Library (DLL) with an undiscovered backdoor capable of delivering additional malicious payloads to infected systems. Once executed on a system, the malware determines the victim's username and hostname, uses this information to generate a hash, and then adds its own process ID. It then decrypts its configuration block, which contains two IP addresses for its command-and-control (C2) server and an RSA public key. The program then generates a random 32-byte key that is encrypted using the RSA key. Then it contacts its C2 using one IP address if the infected system is connected to a domain and the other IP address if it is not, and begins to harvest and encrypt core system data. It was observed decrypting and deploying its own payload using AES-256-CBC in a lab environment. Domino Backdoor and Domino Loader were discovered sharing code with Lizar, a malware with ties to the FIN7 cybercrime group, and using C2 addresses similar to those employed by FIN7 for its SSH-key-based backdoors. In addition, Domino Backdoor samples from December 2022 were discovered using the NewWorldOrder Loader, which FIN7 previously employed to install the Carbanak Backdoor malware. This article continues to discuss the new Domino Backdoor malware. 

ITPro reports "New Domino Backdoor Malware Linked to Ex-Conti, FIN7 Criminals"