Diceloader

Malware updated 5 months ago (2024-05-04T20:18:14.449Z)
Download STIX
Preview STIX
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Diceloader, also known as Lizar or Tirion, is part of a family of malware developed by ITG14, and has been used by numerous threat groups including FIN7 and FIN12. It has been observed in conjunction with other malwares like Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, AresLoader, LummaC2, Vidar, Gozi, Canyon, Nokoyawa Ransomware, and BlackBasta Ransomware. FIN7’s time-tested CARBANAK and DICELOADER malware continue to be in use; however, recent intrusions have seen a greater dependence on the POWERPLANT backdoor. The Domino Backdoor shares code overlap with the Diceloader family of malware. In one specific instance, STONEBOAT was observed first loading an intermediary loader called DAVESHELL, which then executed the final DICELOADER payload. The USB hardware was programmed to download STONEBOAT, which ultimately installed the DICELOADER framework on the victim system. Other payloads loaded by FIN7’s POWERTRASH include CARBANAK, DICELOADER, SUPERSOFT, BEACON and PILLOWMINT. The infection chain of Diceloader includes several stages: the DICELOADER backdoor, the DUBLOADER loader, the POWERHOLD persistence-establishing script, and the POWERTRASH obfuscated loader. The yet undocumented persistence script has been codenamed POWERHOLD, with the DICELOADER malware decoded and executed using another unique loader referred to as DUBLOADER. Mandiant is also tracking multiple notable campaigns suspected to be FIN7, including a “BadUSB” campaign leading to DICELOADER, and multiple phishing campaigns leveraging cloud marketing platforms leading to BIRDWATCH. The Bl00dy Ransomware Gang downloads legitimate remote access tools such as Atera RMM, uses Tor and/or other proxies, and additional malware such as Cobalt Strike Beacons, DiceLoader, and TrueBot.
Description last updated: 2024-05-04T19:37:17.437Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
FIN7 is a possible alias for Diceloader. FIN7, also known as Carbanak, is a Russian cybercrime group that has been active since mid-2015. They are known for their malicious activities primarily targeting the restaurant, gambling, and hospitality industries in the United States to harvest financial information which is then used in attacks
6
Lizar is a possible alias for Diceloader. Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati
5
Carbanak is a possible alias for Diceloader. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and
4
Tirion is a possible alias for Diceloader. Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down
4
ITG14 is a possible alias for Diceloader. ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Backdoor
Bot
PowerShell
Cobalt Strike
Beacon
Payload
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Domino Malware is associated with Diceloader. Domino is a malicious software (malware) that has been causing significant disruption and harm in recent times. The malware was first identified when it infiltrated the IBM Domino Server, a platform used widely for hosting critical applications and services. Despite security measures such as ESET MaUnspecified
3
The Vidar Malware is associated with Diceloader. Vidar is a malicious software (malware) that operates as an infostealer, primarily targeting Windows-based systems. It's written in C++ and is based on the Arkei stealer. Vidar is part of a broader landscape of malware threats such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo,Unspecified
2
The Domino Backdoor Malware is associated with Diceloader. The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or holUnspecified
2
The Minodo Malware is associated with Diceloader. Minodo is a type of malware, a harmful program designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hUnspecified
2
Source Document References
Information about the Diceloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
SecurityIntelligence.com
a year ago
CSO Online
a year ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago