ITG14

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares significant code overlap with the Lizar family of malware, also known as Tirion or Diceloader, but it also demonstrates considerable similarities with malware associated with the Lizar Toolkit, both of which are attributed to ITG14. The observed collaboration between members of ITG14 and former members of ITG23 is consistent with past occurrences. This cooperation further expands the potential reach and impact of these threat actors, possibly leading to more sophisticated and damaging cyberattacks. However, while there is considerable overlap between the Domino Backdoor and ITG14's tools, this alone is insufficient for definitive attribution. Additional evidence supporting the connection between the Domino Backdoor and ITG14 includes the observation by X-Force analysts that two of the Domino Backdoor command-and-control (C2) addresses belonging to MivoCloud closely match C2 addresses previously used by ITG14 for SSH-based Backdoors. These findings suggest a preference on the part of an ITG14 developer for using MivoCloud for some of their C2 addresses. While this information does not conclusively attribute the Domino Backdoor to ITG14, it adds to the mounting evidence of ITG14's involvement.
What's your take? (Question 1 of 5)
b984b551-a4bc-4f0a-aeef-615179f596f9 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
FIN7
3
FIN7, a well-known threat actor group, has been actively targeting large-scale industries with sophisticated cyber attacks. Notably, they have been involved in a series of phishing attacks against a major U.S. carmaker. These targeted operations reflect FIN7's persistent and evolving strategies to c
Diceloader
2
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
Tirion
2
Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Loader
Ransomware
Infostealer
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LizarUnspecified
2
Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati
CarbanakUnspecified
2
Carbanak is a potent form of malware, short for malicious software, which infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Carbanak can steal personal information, disrupt operations, or even hold data hostage for ransom. The
ContiUnspecified
2
Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them, often stealing personal information or disrupting operations. This malicious software has been used in conjunction with other forms of malware such as Trickbot, BazarLoader, IcedID, and Cobalt S
Domino BackdoorUnspecified
2
The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol
Carbanak BackdoorUnspecified
2
The Carbanak Backdoor is a notorious malware, designed to exploit and damage computer systems. It is associated with the FIN7 threat group, also known as the "Carbanak Group", although not all usage of the Carbanak Backdoor can be directly linked to FIN7. This malicious software infiltrates systems
Project NemesisUnspecified
2
Project Nemesis is a malicious software, or malware, that was first advertised on the dark web in December 2021. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Project Nemesis can steal personal information,
Dave LoaderUnspecified
2
Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, e
DominoUnspecified
2
Domino is a potent malware that has caused significant disruptions and damage to various systems. The first known attack was on Romania's Pitesi Pediatric Hospital on February 10, with subsequent attacks on other hospitals on February 11 and February 12. The malware infiltrates systems via suspiciou
NemesisUnspecified
2
Nemesis is a type of malware, specifically known as an infostealer, which infiltrates systems to exploit and cause damage. It often enters systems undetected through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. A deeper lo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Trickbot/conti SyndicateUnspecified
2
The Trickbot/Conti syndicate, also known as ITG23, is a threat actor group associated with various malicious activities. Since late February 2023, this group has been linked to Domino Backdoor campaigns utilizing the Dave Loader, a tool used to load malware onto targeted systems. The IBM Security X-
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the ITG14 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
MITRE
a year ago
Ransomware 2020: Attack Trends Affecting Organizations Worldwide
Securityaffairs
a year ago
The intricate relationships between the FIN7 group and members of the Conti gang