Former members of the Conti ransomware group are compromising systems for follow-up exploits using malware that the financially motivated FIN7 group developed; FIN7 has used the "Domino" tool in its own attacks since at least last October.

The campaign is the latest example to show how different threat groups with distinct motives and techniques often work together to achieve their separate goals, and to broaden their individual operations in the cybercrime economy.

A Domino Effect

IBM Security X-Force recently observed threat actors who used to be part of the Conti group using FIN7's Domino malware to drop either the Cobalt Strike post-exploit toolkit on domain-joined computers, or an information stealer called "Project Nemesis" on individual systems.

X-Force researchers determined that the Conti threat actors (the gang disbanded last May) began using Domino in February, which was about four months after FIN7 first began using the malware last October. 

In the campaign the threat actors used a Conti loader called "Dave" to drop FIN7's Domino backdoor. The backdoor collected basic information about the host system and sent it to an external command-and-control server (C2). The C2, in turn, returned an AES-encrypted payload to the compromised system. The encrypted payload in many cases was another loader with multiple code similarities to the initial Domino backdoor. The attack chain was completed when the Domino loader installed either Cobalt Strike or the Project Nemesis infostealer on the compromised system.

"The Domino backdoor is designed to contact a different C2 address for domain-joined systems, suggesting a more capable backdoor, such as Cobalt Strike, will be downloaded on higher value targets instead of Project Nemesis," IBM Security malware reverse engineer Charlotte Hammond wrote in an analysis on the campaign.

IBM X-Force researchers first identified Domino as FIN7 malware last year after observing several code similarities between it and Lizar (aka DiceLoader or Tirion), a malware family they had previously already attributed to FIN7. Both Domino and DiceLoader have similar coding styles and functionality, a similar configuration structure, and use the same formats for bot identification. X-Force researchers also found evidence linking Domino to the Carbanak banking Trojan, which researchers have also previously associated with FIN7.

Intricate Nature of Cooperation

The use of the malware by former Conti group members "highlights the intricate nature of cooperation among cybercriminal groups and their members," Hammond said. Security analysts have noted how such collaborations can pose a significant threat to organizations and individuals because they often enable more sophisticated and successful attacks than would be possible as separate entities.

For FIN7, the new campaign continues the threat group's efforts to broaden its footprint. FIN7 surfaced in 2012 and cut its teeth stealing and selling payment-card data — an activity that garnered it hundreds of millions of dollars. Over the years the group expanded into the ransomware ecosystem, and also made money from enabling ransomware attacks and malware distribution for other threat groups. After focusing mainly on retail and hospitality-sector organizations, the threat actor has broadened its target list to organizations in multiple other sectors, including defense, transportation, IT servers, financial services, and utilities. 

Security researchers estimate the threat actor has stolen well over $1.2 billion from victims since it first surfaced.

Researchers at Mandiant last year were able to tie Fin7 to dozens of previously unattributed threat activity clusters based on similarities in tactics, techniques, and procedures (TTPs) between them. Among them were at least one dozen intrusions at Mandiant customer locations since 2020 alone. US law enforcement authorities have tried disrupting FIN7 activities multiple times and even managed to send a high-level group admin to prison back in 2018. So far though, attempts to stop the group have failed.