Dave Loader

Malware updated 5 months ago (2024-05-05T03:18:28.755Z)

Download STIX

Preview STIX

Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, emails, or websites. Once inside a system, Dave Loader can steal personal information, disrupt operations, or even hold data hostage for ransom. Recent observations reveal that it now includes what are known as Domino files, with a particular focus on the Domino Backdoor. Since late February 2023, Dave Loader has been linked to numerous campaigns orchestrated by former members of ITG23, a group infamous for its cybercriminal activities. The malware has demonstrated ties to multiple groups within a single campaign, including the Domino Backdoor and Project Nemesis Infostealer. This multifaceted use underscores the complexity of tracking threat actors but also offers insight into their operational tactics and affiliations. Notably, Dave Loader has been associated with the Trickbot/Conti syndicate, suggesting a degree of cooperation among these cybercriminal groups. The technical workings of Dave Loader involve executing decrypted shellcode and passing the PE payload to it for loading and execution. The malware contains two encrypted resources within a resource directory named "XKLKLCRTE." It utilizes API calls LdrFindResource_U and LdrAccessResource to load these resources, which it then decrypts using XOR and a specific key. This advanced level of encryption and obfuscation makes Dave Loader a significant threat in the realm of cybersecurity.

Description last updated: 2024-05-05T03:00:32.068Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Domino Backdoor is a possible alias for Dave Loader. The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol	3
Project Nemesis is a possible alias for Dave Loader. Project Nemesis is a malicious software, or malware, that was first advertised on the dark web in December 2021. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Project Nemesis can steal personal information,	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Infostealer

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Domino Malware is associated with Dave Loader. Domino is a malicious software (malware) that has been causing significant disruption and harm in recent times. The malware was first identified when it infiltrated the IBM Domino Server, a platform used widely for hosting critical applications and services. Despite security measures such as ESET Ma	Unspecified	3
The IcedID Malware is associated with Dave Loader. IcedID is a type of malware, malicious software designed to exploit and damage computer systems. It has been identified in association with various other malwares such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, and Pikabot. The IcedID IntBot Loader (int-bot.dll) is	Unspecified	2
The Emotet Malware is associated with Dave Loader. Emotet is a particularly dangerous and insidious type of malware that has reemerged as a significant threat. This malicious software, which infects systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or even hold data for ransom. Emotet-infe	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The ITG14 Threat Actor is associated with Dave Loader. ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi	Unspecified	2
The Trickbot/conti Syndicate Threat Actor is associated with Dave Loader. The Trickbot/Conti syndicate, also known as ITG23, is a threat actor group associated with various malicious activities. Since late February 2023, this group has been linked to Domino Backdoor campaigns utilizing the Dave Loader, a tool used to load malware onto targeted systems. The IBM Security X-	Unspecified	2

Source Document References

Information about the Dave Loader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a year ago	The intricate relationships between the FIN7 group and members of the Conti gang
Malwarebytes	a year ago	Malware authors join forces and target organisations with Domino Backdoor
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?
SecurityIntelligence.com	a year ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor