![]() NET infostealer, which identifies itself as ‘Nemesis Project.’ This loader contains an encrypted payload within its resources, which it decrypts using AES. In most instances, the received payload was a second loader that was found to have code overlap with Minodo Backdoor, and as such we have dubbed it Minodo Loader. This new backdoor gathers basic system information, which it then sends to the C2, and in return receives an AES encrypted payload. Recently observed Dave samples were discovered loading a new malware, which we have named Minodo Backdoor. Dave Loader has also been used this year to load IcedID and Emotet, both of which serve as initial access vectors for ransomware attacks from former Trickbot/Conti-affiliated factions.X-Force observed Dave-loaded Cobalt Strike samples using this watermark in suspected Royal attacks in fall 2022. The Dave Loader has been used recently with several Cobalt Strike samples with the watermark “206546002,” which X-Force and other security researchers - here and here - have associated with groups composed of former members of the Trickbot/Conti syndicate, including Quantum and Royal.Although the group has fractured, many of its loaders/crypters - including Dave - have been maintained and continue to be used by factions composed of former Trickbot/Conti members, including Quantum, Royal, BlackBasta, and Zeon. X-Force previously assessed that Dave is one of several loaders or crypters developed by members of the Trickbot/Conti group. Project Nemesis was first advertised on the dark web in December 2021, though has been rarely used since then.Īnalysis Ex-Conti Members Deploy Minodo in Recent Campaignsįormer members of ITG23 (aka the Trickbot/Conti syndicate) are likely behind recent campaigns using the Dave Loader to load Minodo Backdoor and probably collaborated with current or former ITG14 developers to purchase or use the new malware family. One of Minodo’s final payloads is the Project Nemesis infostealer.Minodo’s code shows overlap with the Lizar (aka Tirion, Diceloader) malware family, leading us to suspect that it was created by current or former ITG14 developers.Since late February 2023, Minodo Backdoor campaigns have been observed using the Dave Loader, which we have linked to the Trickbot/Conti syndicate and its former members. ![]() This discovery highlights the intricate nature of cooperation among cybercriminal groups and their members: ![]() Former members of the Trickbot/Conti syndicate which X-Force tracks as ITG23 have been using Minodo since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike. IBM Security X-Force recently discovered a new malware family we have called “Minodo,” which we assess was created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7. This blog was made possible through contributions from Christopher Caridi. The malware is not associated with HCL or its Domino product suite in any way. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. This is being done to avoid any possible confusion with the HCL Domino brand. This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |