Domino Backdoor

Malware updated 5 months ago (2024-05-05T03:18:13.431Z)

Download STIX

Preview STIX

The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hold data hostage for ransom. It has been observed in use since late February 2023, notably by former members of ITG23 who have used it in conjunction with Dave Loader during their campaigns. This suggests a level of collaboration between different threat groups. The Domino Backdoor also shares code overlap with the Lizar family of malware, developed by ITG14, adding another layer of complexity to its origins and operations. The Domino Backdoor uses the Microsoft WinCrypt library for AES encryption and decryption, a feature it shares with the Loader malware. In one particular instance, a payload was found to be a Loader with similarities to Domino Backdoor, subsequently referred to as Domino Loader. During an analysis, the payload received by the Domino backdoor from the C2 was identified as a 64-bit DLL, written in C++, with MD5 hash 2373BE26018075847AEA51636B739F66 and an internal filename of MultiRunDll64.dll. In addition to its shared characteristics with other malware, the Domino Backdoor has unique features. For example, Lizar's Jumper32/Jumper64.dll plugin resembles the code within Domino Backdoor, which is capable of loading a payload using several different methods. The required method can be specified using a command ID number. These findings highlight the sophisticated nature of this threat, indicating that it is part of a broader ecosystem of malicious tools used by cybercriminals to breach security systems and compromise sensitive data.

Description last updated: 2024-05-05T03:00:15.020Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Project Nemesis is a possible alias for Domino Backdoor. Project Nemesis is a malicious software, or malware, that was first advertised on the dark web in December 2021. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Project Nemesis can steal personal information,	3
Dave Loader is a possible alias for Domino Backdoor. Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, e	3
Domino Loader is a possible alias for Domino Backdoor. Domino Loader is a sophisticated malware with significant similarities to the Domino Backdoor. It operates as a loader, infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it gathers basic system information and sends this data to a com	2
Lizar is a possible alias for Domino Backdoor. Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati	2
Trickbot/conti Syndicate is a possible alias for Domino Backdoor. The Trickbot/Conti syndicate, also known as ITG23, is a threat actor group associated with various malicious activities. Since late February 2023, this group has been linked to Domino Backdoor campaigns utilizing the Dave Loader, a tool used to load malware onto targeted systems. The IBM Security X-	2
Tirion is a possible alias for Domino Backdoor. Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Loader

Cobalt Strike

Malware

Payload

Infostealer

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Diceloader Malware is associated with Domino Backdoor. Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in	Unspecified	2
The Newworldorder Loader Malware is associated with Domino Backdoor. NewWorldOrder Loader is a potent malware that was identified in December 2022. It operates as a loader for other malicious software, effectively helping them infiltrate systems undetected. This harmful program is particularly notable for its association with the Domino Backdoor and Carbanak Backdoor	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN7 Threat Actor is associated with Domino Backdoor. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	is related to	3
The ITG14 Threat Actor is associated with Domino Backdoor. ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi	Unspecified	2

Source Document References

Information about the Domino Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com	a year ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
Malwarebytes	a year ago	Malware authors join forces and target organisations with Domino Backdoor
Securityaffairs	a year ago	The intricate relationships between the FIN7 group and members of the Conti gang
DARKReading	a year ago	FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware