The malevolent “matryoshka” effectively and covertly installs malevolent software onto compromised computers.
Former members of the previously terminated Conti ransomware gang utilized a new strain of malware created by cybercriminals associated with the FIN7 cybercrime group, suggesting cooperation between the two hacking groups.
What is “Matryoshka” Malware
The “malicious matryoshka” is a type of malware that installs extra vicious software on already compromised machines, akin to a Russian nesting doll containing smaller dolls inside. This technique is often used by cybercriminals to avoid detection and hinder security measures from identifying and eliminating the threat.
Despite its covert nature, the malicious matryoshka is highly effective in infiltrating and compromising targeted systems. Once it gains access to a computer, it can deploy more malware or carry out other harmful activities, such as stealing sensitive data, encrypting files for ransom, or utilizing the computer as part of a botnet for further attacks.
Who Uses Domino
The Domino malware is made to help further exploited systems by installing more malicious software. According to IBM Security X-Force, ex-members of the TrickBot/Conti organization have been distributing information-stealing software or potent backdoors like Cobalt Strike via Domino since around February 2023.
The well-known Russian-speaking criminal organization FIN7 deploys numerous payloads using bespoke software. A wave of attacks connected to the use of the Dave Loader downloader to install the Domino backdoor were uncovered by IBM Security X-Force two months ago.
IBM Security X-Force recently identified a new attack campaign that used the Domino backdoor installed by the Dave Loader downloader. The source code of Domino is similar to the DICELOADER malware associated with the FIN7 group, indicating a possible link between the two.
DICELOADER is designed to collect confidential information and decrypt data from a remote server controlled by cybercriminals. After the initial infection, the attackers use the Domino Loader to deploy Project Nemesis, an information-stealing program capable of extracting sensitive data from various sources, including Discord, web browsers, crypto wallets, VPN services, and other applications.
A Serious Threat
Last year, the same NewWorldOrder Loader was used to transfer both the Domino and Carbanak backdoors, further linking Domino to the FIN7 group. The use of a “nesting doll” of malware and loaders in this campaign is not a new scheme.
IBM Security research suggests that the use of multiple malware associated with different threat actors within the same campaign underscores the challenge of tracking cybercriminals and sheds light on their collaborations.