Diceloader

Malware updated 7 months ago (2024-05-04T20:18:14.449Z)

Download STIX

Preview STIX

Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Diceloader, also known as Lizar or Tirion, is part of a family of malware developed by ITG14, and has been used by numerous threat groups including FIN7 and FIN12. It has been observed in conjunction with other malwares like Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, AresLoader, LummaC2, Vidar, Gozi, Canyon, Nokoyawa Ransomware, and BlackBasta Ransomware. FIN7’s time-tested CARBANAK and DICELOADER malware continue to be in use; however, recent intrusions have seen a greater dependence on the POWERPLANT backdoor. The Domino Backdoor shares code overlap with the Diceloader family of malware. In one specific instance, STONEBOAT was observed first loading an intermediary loader called DAVESHELL, which then executed the final DICELOADER payload. The USB hardware was programmed to download STONEBOAT, which ultimately installed the DICELOADER framework on the victim system. Other payloads loaded by FIN7’s POWERTRASH include CARBANAK, DICELOADER, SUPERSOFT, BEACON and PILLOWMINT. The infection chain of Diceloader includes several stages: the DICELOADER backdoor, the DUBLOADER loader, the POWERHOLD persistence-establishing script, and the POWERTRASH obfuscated loader. The yet undocumented persistence script has been codenamed POWERHOLD, with the DICELOADER malware decoded and executed using another unique loader referred to as DUBLOADER. Mandiant is also tracking multiple notable campaigns suspected to be FIN7, including a “BadUSB” campaign leading to DICELOADER, and multiple phishing campaigns leveraging cloud marketing platforms leading to BIRDWATCH. The Bl00dy Ransomware Gang downloads legitimate remote access tools such as Atera RMM, uses Tor and/or other proxies, and additional malware such as Cobalt Strike Beacons, DiceLoader, and TrueBot.

Description last updated: 2024-05-04T19:37:17.437Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
FIN7 is a possible alias for Diceloader. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	6
Lizar is a possible alias for Diceloader. Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati	5
Carbanak is a possible alias for Diceloader. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and	4
Tirion is a possible alias for Diceloader. Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down	4
ITG14 is a possible alias for Diceloader. ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Loader

Backdoor

Bot

PowerShell

Cobalt Strike

Beacon

Payload

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Domino Malware is associated with Diceloader. Domino is a malicious software that infiltrated various systems, most notably IBM Domino Server and ESET Mail Security for IBM Domino, causing significant disruptions and data breaches. The malware was particularly potent due to its ability to exploit vulnerabilities in one system and trigger a domi	Unspecified	3
The Vidar Malware is associated with Diceloader. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malw	Unspecified	2
The Domino Backdoor Malware is associated with Diceloader. The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol	Unspecified	2
The Minodo Malware is associated with Diceloader. Minodo is a type of malware, a harmful program designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h	Unspecified	2

Source Document References

Information about the Diceloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	a year ago	FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
CERT-EU	2 years ago	Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU	2 years ago	Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption
CERT-EU	2 years ago	Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU	a year ago	FIN7 cybergang tied to April PaperCut attacks \| #ransomware \| #cybercrime – National Cyber Security Consulting
CERT-EU	2 years ago	FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability
CERT-EU	2 years ago	Ransomware gang exploiting unpatched Veeam backup products \| #ransomware \| #cybercrime – National Cyber Security Consulting
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CSO Online	2 years ago	Cybercrime group FIN7 targets Veeam backup servers
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CERT-EU	2 years ago	Google sheets & drive traffic along with this process in your network, means your are hacked
Securityaffairs	2 years ago	The intricate relationships between the FIN7 group and members of the Conti gang
CERT-EU	a year ago	BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
DARKReading	2 years ago	FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware
CERT-EU	2 years ago	Russian cybercrime group FIN7 has been observed exploiting unpatched Veeam Backup & Replication instances in recent attacks, cybersecurity company WithSecure reports.