Project Nemesis

Malware updated 7 months ago (2024-05-05T03:17:43.833Z)

Download STIX

Preview STIX

Project Nemesis is a malicious software, or malware, that was first advertised on the dark web in December 2021. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Project Nemesis can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware has been used sparingly since its introduction, but it has played a role in a complex network of cybercriminal activities involving other malware such as Dave Loader, Domino Backdoor, and Domino Loader. The Domino Loader, in particular, has been instrumental in delivering the final payload of Project Nemesis. This payload is identified as a .NET assembly with an MD5 hash D9FFB202D6B679E5AD7303C0334CD000. The Domino backdoor and loader are both 64-bit DLLs written in Visual C++, and they have been used to deliver Project Nemesis since at least October 2022. In some cases, instead of downloading Project Nemesis, the Domino Backdoor contacts a Command and Control (C2) server to download post-exploitation tools such as Cobalt Strike. The use of these various types of malware in a single campaign underscores the complexity involved in tracking threat actors. However, it also provides insight into how these actors operate and collaborate. For instance, former Trickbot/Conti ransomware developers were spotted collaborating with FIN7, a financially motivated cybercrime gang, on new malware that delivers Project Nemesis. Furthermore, ex-Conti members likely used the Project Nemesis infostealer against lower-value targets. These intricate relationships between cybercriminal groups highlight the evolving nature of cybersecurity threats.

Description last updated: 2024-05-05T03:00:12.602Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Domino Backdoor is a possible alias for Project Nemesis. The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol	3
Domino Loader is a possible alias for Project Nemesis. Domino Loader is a sophisticated malware with significant similarities to the Domino Backdoor. It operates as a loader, infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it gathers basic system information and sends this data to a com	2
Dave Loader is a possible alias for Project Nemesis. Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, e	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Infostealer

Exploit

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Domino Malware is associated with Project Nemesis. Domino is a malicious software that infiltrated various systems, most notably IBM Domino Server and ESET Mail Security for IBM Domino, causing significant disruptions and data breaches. The malware was particularly potent due to its ability to exploit vulnerabilities in one system and trigger a domi	Unspecified	4

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The ITG14 Threat Actor is associated with Project Nemesis. ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi	Unspecified	2
The FIN7 Threat Actor is associated with Project Nemesis. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Source Document References

Information about the Project Nemesis Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Ransomware crews lean into infostealers for initial access
Securityaffairs	2 years ago	The intricate relationships between the FIN7 group and members of the Conti gang
Malwarebytes	2 years ago	Malware authors join forces and target organisations with Domino Backdoor
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
DARKReading	2 years ago	FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware