top of page

Former Conti Ransomware Gang Members Now Using Domino Malware

It seems that former members of the TrickBot/Conti syndicate have been teaming up with FIN7 as of late. IBM Security X-Force has spotted that they have been using Domino to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike. FIN7, also called Carbanak and ITG14, is a prolific Russian-speaking cybercriminal syndicate that's known to employ an array of custom malware to deploy additional malware and broaden its monetization methods. Recent analyses by Google-owned Mandiant, SentinelOne, and PRODAFT have revealed the group's role as a precursor for Maze and Ryuk ransomware attacks, not to mention exposing its connections to Black Basta, DarkSide, REvil, and LockBit families. The latest intrusion wave, spotted by IBM Security X-Force two months ago, involves the use of Dave Loader, a crypter previously attributed to the Conti group (aka Gold Blackburn, ITG23, or Wizard Spider), to deploy the Domino backdoor. Domino is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021. It's interesting to see the shift in tactics from FIN7. They are known for being a prolific Russian-speaking cybercriminal syndicate that employs an array of custom malware. However, they have been spotted teaming up with the TrickBot/Conti syndicate as of late. It will be interesting to see how this plays out and what other tactics they employ in the future.

bottom of page