Diceloader

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Diceloader, also known as Lizar or Tirion, is part of a family of malware developed by ITG14, and has been used by numerous threat groups including FIN7 and FIN12. It has been observed in conjunction with other malwares like Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, AresLoader, LummaC2, Vidar, Gozi, Canyon, Nokoyawa Ransomware, and BlackBasta Ransomware. FIN7’s time-tested CARBANAK and DICELOADER malware continue to be in use; however, recent intrusions have seen a greater dependence on the POWERPLANT backdoor. The Domino Backdoor shares code overlap with the Diceloader family of malware. In one specific instance, STONEBOAT was observed first loading an intermediary loader called DAVESHELL, which then executed the final DICELOADER payload. The USB hardware was programmed to download STONEBOAT, which ultimately installed the DICELOADER framework on the victim system. Other payloads loaded by FIN7’s POWERTRASH include CARBANAK, DICELOADER, SUPERSOFT, BEACON and PILLOWMINT. The infection chain of Diceloader includes several stages: the DICELOADER backdoor, the DUBLOADER loader, the POWERHOLD persistence-establishing script, and the POWERTRASH obfuscated loader. The yet undocumented persistence script has been codenamed POWERHOLD, with the DICELOADER malware decoded and executed using another unique loader referred to as DUBLOADER. Mandiant is also tracking multiple notable campaigns suspected to be FIN7, including a “BadUSB” campaign leading to DICELOADER, and multiple phishing campaigns leveraging cloud marketing platforms leading to BIRDWATCH. The Bl00dy Ransomware Gang downloads legitimate remote access tools such as Atera RMM, uses Tor and/or other proxies, and additional malware such as Cobalt Strike Beacons, DiceLoader, and TrueBot.
What's your take? (Question 1 of 5)
a9839545-9a2c-4bdd-a1e0-3effd7a0e072 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
FIN7
6
FIN7, a well-known threat actor group, has been actively targeting large-scale industries with sophisticated cyber attacks. Notably, they have been involved in a series of phishing attacks against a major U.S. carmaker. These targeted operations reflect FIN7's persistent and evolving strategies to c
Lizar
5
Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati
Tirion
4
Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down
Carbanak
4
Carbanak is a potent form of malware, short for malicious software, which infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Carbanak can steal personal information, disrupt operations, or even hold data hostage for ransom. The
ITG14
2
ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Loader
Malware
Backdoor
Bot
Cobalt Strike
Beacon
Payload
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DominoUnspecified
3
Domino is a potent malware that has caused significant disruptions and damage to various systems. The first known attack was on Romania's Pitesi Pediatric Hospital on February 10, with subsequent attacks on other hospitals on February 11 and February 12. The malware infiltrates systems via suspiciou
VidarUnspecified
2
Vidar is a malware variant that first emerged in 2018 as a derivative of the Arkei malware. It is a Windows-based infostealer written in C++, and it has been used extensively by cybercriminals to steal sensitive information from compromised systems. Vidar, like other infostealers such as LummaC2, is
Domino BackdoorUnspecified
2
The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol
MinodoUnspecified
2
Minodo is a type of malware, a harmful program designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Diceloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
6 months ago
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CERT-EU
a year ago
Russian cybercrime group FIN7 has been observed exploiting unpatched Veeam Backup & Replication instances in recent attacks, cybersecurity company WithSecure reports.
CSO Online
a year ago
Cybercrime group FIN7 targets Veeam backup servers
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
Securityaffairs
a year ago
The intricate relationships between the FIN7 group and members of the Conti gang
DARKReading
a year ago
FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware
CERT-EU
a year ago
FIN7 cybergang tied to April PaperCut attacks | #ransomware | #cybercrime – National Cyber Security Consulting
CERT-EU
a year ago
Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU
a year ago
Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
CERT-EU
a year ago
Google sheets & drive traffic along with this process in your network, means your are hacked
CERT-EU
a year ago
Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption
CERT-EU
a year ago
FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability
CERT-EU
a year ago
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
CERT-EU
a year ago
Ransomware gang exploiting unpatched Veeam backup products | #ransomware | #cybercrime – National Cyber Security Consulting