Tirion

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious downloads, emails, or websites and then exploit and damage the compromised system. It can steal personal information, disrupt operations, and even hold data hostage for ransom. The Domino Backdoor and Loader have been found to share code overlap with the Tirion malware family. This discovery leads analysts to suspect that Domino was created by current or former ITG14 developers. The Domino Backdoor and Loader are part of the same threat landscape, suggesting an evolution or diversification of the initial Tirion malware. In addition to the Domino Backdoor, the attacks also utilized custom PowerShell scripts. These scripts were used to retrieve stored credentials from backup servers, gather system information, and establish an active foothold in the compromised host. This was accomplished by executing the DiceLoader (aka Lizar or Tirion) every time the device boots up. This strategy demonstrates the sophistication and persistence of the threat posed by the Tirion malware and its associated variants.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Diceloader
4
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
Lizar
4
Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati
FIN7
3
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Domino Backdoor
2
The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol
ITG14
2
ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
Trickbot/conti Syndicate
1
The Trickbot/Conti syndicate, also known as ITG23, is a threat actor group associated with various malicious activities. Since late February 2023, this group has been linked to Domino Backdoor campaigns utilizing the Dave Loader, a tool used to load malware onto targeted systems. The IBM Security X-
Dave Loader
1
Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, e
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DominoUnspecified
3
The Domino malware, a harmful program designed to exploit and damage computer systems, has been identified as the culprit behind a series of high-profile cyber attacks. The first notable incident occurred when a hacker claimed to have accessed Domino's India's massive 13 TB database on the Dark Web,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Tirion Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
Securityaffairs
a year ago
The intricate relationships between the FIN7 group and members of the Conti gang
DARKReading
a year ago
FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware