Dave Loader

Malware updated 23 days ago (2024-11-29T13:51:03.769Z)
Download STIX
Preview STIX
Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, emails, or websites. Once inside a system, Dave Loader can steal personal information, disrupt operations, or even hold data hostage for ransom. Recent observations reveal that it now includes what are known as Domino files, with a particular focus on the Domino Backdoor. Since late February 2023, Dave Loader has been linked to numerous campaigns orchestrated by former members of ITG23, a group infamous for its cybercriminal activities. The malware has demonstrated ties to multiple groups within a single campaign, including the Domino Backdoor and Project Nemesis Infostealer. This multifaceted use underscores the complexity of tracking threat actors but also offers insight into their operational tactics and affiliations. Notably, Dave Loader has been associated with the Trickbot/Conti syndicate, suggesting a degree of cooperation among these cybercriminal groups. The technical workings of Dave Loader involve executing decrypted shellcode and passing the PE payload to it for loading and execution. The malware contains two encrypted resources within a resource directory named "XKLKLCRTE." It utilizes API calls LdrFindResource_U and LdrAccessResource to load these resources, which it then decrypts using XOR and a specific key. This advanced level of encryption and obfuscation makes Dave Loader a significant threat in the realm of cybersecurity.
Description last updated: 2024-05-05T03:00:32.068Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Domino Backdoor is a possible alias for Dave Loader. The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol
3
Project Nemesis is a possible alias for Dave Loader. Project Nemesis is a malicious software, or malware, that was first advertised on the dark web in December 2021. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Project Nemesis can steal personal information,
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Infostealer
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Domino Malware is associated with Dave Loader. Domino is a malicious software that infiltrated various systems, most notably IBM Domino Server and ESET Mail Security for IBM Domino, causing significant disruptions and data breaches. The malware was particularly potent due to its ability to exploit vulnerabilities in one system and trigger a domiUnspecified
3
The IcedID Malware is associated with Dave Loader. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
2
The Emotet Malware is associated with Dave Loader. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The ITG14 Threat Actor is associated with Dave Loader. ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifiUnspecified
2
The Trickbot/conti Syndicate Threat Actor is associated with Dave Loader. The Trickbot/Conti syndicate, also known as ITG23, is a threat actor group associated with various malicious activities. Since late February 2023, this group has been linked to Domino Backdoor campaigns utilizing the Dave Loader, a tool used to load malware onto targeted systems. The IBM Security X-Unspecified
2
Source Document References
Information about the Dave Loader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more