ITG14

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares significant code overlap with the Lizar family of malware, also known as Tirion or Diceloader, but it also demonstrates considerable similarities with malware associated with the Lizar Toolkit, both of which are attributed to ITG14. The observed collaboration between members of ITG14 and former members of ITG23 is consistent with past occurrences. This cooperation further expands the potential reach and impact of these threat actors, possibly leading to more sophisticated and damaging cyberattacks. However, while there is considerable overlap between the Domino Backdoor and ITG14's tools, this alone is insufficient for definitive attribution. Additional evidence supporting the connection between the Domino Backdoor and ITG14 includes the observation by X-Force analysts that two of the Domino Backdoor command-and-control (C2) addresses belonging to MivoCloud closely match C2 addresses previously used by ITG14 for SSH-based Backdoors. These findings suggest a preference on the part of an ITG14 developer for using MivoCloud for some of their C2 addresses. While this information does not conclusively attribute the Domino Backdoor to ITG14, it adds to the mounting evidence of ITG14's involvement.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
FIN7	3	FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Diceloader	2	Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
Tirion	2	Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Infostealer

Loader

Ransomware

Cybercrime

RaaS

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Domino	Unspecified	2	The Domino malware, a harmful program designed to exploit and damage computer systems, has been identified as the culprit behind a series of high-profile cyber attacks. The first notable incident occurred when a hacker claimed to have accessed Domino's India's massive 13 TB database on the Dark Web,
Nemesis	Unspecified	2	Nemesis is a type of malware, specifically known as an infostealer, which infiltrates systems to exploit and cause damage. It often enters systems undetected through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. A deeper lo
Lizar	Unspecified	2	Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati
Carbanak	Unspecified	2	Carbanak is a sophisticated type of malware, short for malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Conti	Unspecified	2	Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Domino Backdoor	Unspecified	2	The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol
Carbanak Backdoor	Unspecified	2	The Carbanak Backdoor is a notorious malware, designed to exploit and damage computer systems. It is associated with the FIN7 threat group, also known as the "Carbanak Group", although not all usage of the Carbanak Backdoor can be directly linked to FIN7. This malicious software infiltrates systems
Project Nemesis	Unspecified	2	Project Nemesis is a malicious software, or malware, that was first advertised on the dark web in December 2021. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Project Nemesis can steal personal information,
Dave Loader	Unspecified	2	Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, e
Blackbasta	Unspecified	1	BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Ryuk	Unspecified	1	Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Trickbot/conti Syndicate	Unspecified	2	The Trickbot/Conti syndicate, also known as ITG23, is a threat actor group associated with various malicious activities. Since late February 2023, this group has been linked to Domino Backdoor campaigns utilizing the Dave Loader, a tool used to load malware onto targeted systems. The IBM Security X-
ITG23	Unspecified	1	ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Sodinokibi	Unspecified	1	Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the ITG14 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Ransomware 2020: Attack Trends Affecting Organizations Worldwide
SecurityIntelligence.com	a year ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
Securityaffairs	a year ago	The intricate relationships between the FIN7 group and members of the Conti gang
SecurityIntelligence.com	a year ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor