Ex-Conti and FIN7 Cybercrime Gangs Unite to Launch Domino Malware
- Written by Ari Denial Cybersecurity & Tech Writer
In what appears to be a coordinated effort between the FIN7 and Ex-Conti cybercrime gangs, a newly developed malware strain called “Domino” has emerged.
This collaboration suggests that the two groups have joined forces, with the now-defunct Conti ransomware gang using the malware. Domino’s primary purpose is to aid in subsequent exploitation of compromised systems, and it includes an information stealer that has been available for purchase on the dark web since December 2021, but not widely known.
According to a recently released IBM report, the FIN7 hacking group, which has connections to numerous types of malware as well as the BlackBasta and DarkSide ransomware operations, was responsible for developing the Domino malware.
IBM researchers have discovered that the ‘Dave Loader’ malware loader has been linked to former members of the Conti ransomware and TrickBot groups, deploying Cobalt Strike beacons and Emotet.
However, recently it has been observed installing the new ‘Domino’ malware family, which includes a backdoor and an embedded .NET info-stealer called ‘Nemesis Project.’ The researchers speculate that the backdoor may download more sophisticated malware like Cobalt Strike for high-value targets.
Threat actors often collaborate with other groups to distribute malware and gain initial access to corporate networks, with ransomware gangs like REvil, Maze, and Conti relying on the likes of TrickBot and Emotet. With the disbanding of Conti, smaller cells have emerged, including BlackBasta, LockBit, and Quantum. IBM has linked the Domino malware family to FIN7, as it shares a code overlap with Lizar, and a loader named ‘NewWorldOrder’ was used to distribute the malware.
The Dave Loader malware, associated with TrickBot/Conti, has been observed pushing the Domino malware, linked to FIN7, which then deploys Project Nemesis or Cobalt Strike beacons associated with ex-Conti ransomware activity. This complicated partnership among threat actors creates challenges for defenders who need to address multiple malware strains that enable remote access to networks.
Chameleon Android Malware Discovered in the Wild, Threatening Mobile Devices
- Written by Ari Denial Cybersecurity & Tech Writer
Cyble Research & Intelligence Labs (CRIL) recently discovered a new strain of Android Banking Trojan, named “Chameleon,” which appears to be unrelated to any known Trojan families.
The malware is identified based on the commands used by the Trojan. The Trojan has been active since January 2023 and is observed specifically targeting users in Australia and Poland.
The Trojan is designed to carry out malicious activities by utilizing the Accessibility Service, similar to other Banking Trojans. The malware is capable of impersonating popular cryptocurrency app CoinSpot, a government agency in Australia, and IKO bank from Poland. This impersonation allows the Trojan to deceive unsuspecting victims and gain access to sensitive information.
The Chameleon Banking Trojan employs various evasion techniques upon launch to avoid detection by security software. These evasion techniques include anti-emulation checks, which can detect if the device is rooted or if debugging is enabled. This is done to increase the likelihood that the app is running in an analyst’s environment.
It can also disable Google Play Protect and prevent the user from uninstalling it. Upon initial connection with the Command-and-Control server (C2), Chameleon sends crucial device information such as the device version, model, root status, country, and precise location. This information is likely used to profile the new infection.
This Trojan loads malicious modules in the background depending on the entity it impersonates. These modules include a cookie stealer, keylogger, phishing page injector, lock screen PIN/pattern grabber, and SMS stealer.
The Accessibility Service is abused to carry out these data-stealing activities, allowing the malware to monitor screen content, intervene to modify interface elements, or send certain API calls as needed. The service is also used to prevent the malware from being uninstalled by identifying removal attempts and deleting shared preference variables.
The Trojan is considered an emerging threat, and future versions may have additional features and capabilities. Android users are advised to exercise caution when downloading apps, use only official app stores, and keep Google Play Protect enabled at all times.
