Conti is a ransomware discovered in December 2019 that mainly attacks corporate networks. It is suspected to be an evolution of Locky ransomware, but additionally it has features and functions that set it apart from other ransomware.
Former members of the Conti ransomware group are compromising systems using malware developed by the FIN7 group (cyber actor with financial motives); FIN7 has used the "Domino" tool in its own attacks since at least last October.
It is very important to note that today there are threat groups that combine their techniques to launch a new campaign against an organization, even if these threat groups have different objectives or motives.
The domino effect
X-Force researchers determined that the threat actors of Conti (disbanded in May 2022) began using Domino in February, about four months after FIN7 first started using the malware last October.
Domino was first identified as FIN7 malware last year after observing several code similarities with Lizar (also known as DiceLoader or Tirion), a family of malware previously attributed to FIN7. Both Domino and DiceLoader have similar coding styles, functionality, and configuration structure and use the same formats for identifying bots. Additionally, evidence was found linking Domino to the banking Trojan Carbanak, which has also been previously associated with FIN7.
At Cyberpeace, we closely monitor threat groups in order to know and identify their movements so that we can extract information, process it and provide it to our clients in a tactical (actionable) and technical way so that they can be updated and protected.
Written by:
Alberto Ávalos
Director of Incident Response and Threat Intelligence of Cyberpeace