Threat Research

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

Securonix

Two former Conti and FIN7 affiliates are linked to a new backdoor family named Minodo, delivered alongside Dave Loader and other ITG14/ITG23-aligned tooling, with Nemesis infostealer as a key payload. The campaign chain shows cross-group collaboration, overlaps with the Lizar toolkit, and a multi-stage loading sequence designed to escalate access on high-value targets. #MinodoBackdoor #NemesisProject #LizarToolkit #ITG14 #ITG23 #DaveLoader

Keypoints

  • Ex-Conti members deploy Minodo Backdoor and Minodo Loader, likely with ITG14 developers, using Dave Loader as part of the delivery chain.
  • Dave Loader has previously loaded payloads like Emotet, IcedID, and has ties to Trickbot/Conti-era activity (and factions such as Quantum, Royal, BlackBasta, Zeon).
  • Minodo Backdoor and Minodo Loader show extensive code overlap with the Lizar Toolkit (ITG14), including similar config structures and bot-ID formats.
  • Project Nemesis infostealer is dropped by Minodo-related components and has been active since December 2021, capable of stealing data from browsers, crypto wallets, and more.
  • The malware uses multiple payload-loading methods (ReflectiveLoader, in-memory, disk-based) and AES/RSA-based crypto to manage C2 communications and payload deployment.
  • Minodo leverages C2 infrastructure (e.g., es-megadom[.]com) and makes distinctions between domain-joined targets (potential higher-value targets) and others, indicating strategic deployment.

MITRE Techniques

  • [T1071.001] Web Protocols – The backdoor connects to the C2 addresses and exchanges payloads/commands over HTTP/S; “The Minodo Backdoor is designed to contact a different C2 address… will be downloaded on higher value targets”
  • [T1027] Obfuscated/Compressed Files and Information – The config is decrypted using XOR and a 16-byte key stored before the encrypted config block; “The config is decrypted using XOR and a 16-byte key which is stored immediately before the encrypted config block.”
  • [T1055] Process Injection – Minodo Backdoor/Loader load payloads into memory and execute via ReflectiveLoader; “Copy the payload into allocated memory within the current process and create a new thread to execute an export named ReflectiveLoader”
  • [T1082] System Information Discovery – The backdoor gathers username, computer name, OS version and sends it to the C2; “gathers basic system information, including username, computer name, and OS version”
  • [T1041] Exfiltration Over C2 Channel – Collected data is compressed into a Zip and uploaded to the C2; “the data and adds it to a Zip archive which it then transfers back to the C2”
  • [T1057] Process Discovery – The malware enumerates running processes and returns a list of names/IDs; “enumerates the running processes on the system and compiles a list of process names and IDs”
  • [T1105] Ingress Tool Transfer – The chain shows downloading/loading of payloads and potential download of a higher-value loader/C2 (e.g., Cobalt Strike) based on target value; “will be downloaded on higher value targets instead of Project Nemesis”

Indicators of Compromise

  • [IP] Minodo Backdoor config addresses – 88.119.175.124, 94.158.247.72, and 2 more addresses
  • [IP] ITG14-related addresses (historical context) – 94.158.247.23, 185.225.17.220, and 1 more address
  • [MD5] Sample hashes – 2CC79806701F1A6E877C29B93F06F1BB, and 2 more hashes
  • [MD5] Minodo Backdoor hash – CDBE0FEB82B1CAF164C7DA42CB9A20BE, and 2 more hashes
  • [MD5] Minodo Loader hash – 2373BE26018075847AEA51636B739F66, and 1 more hash
  • [MD5] Nemesis infostealer hash – D9FFB202D6B679E5AD7303C0334CD000, and 1 more hash
  • [FileName] Minodo-related payloads – ThunderboltService.exe, MultiRunDll64.dll, and 1 more file
  • [Domain] C2 domain – es-megadom[.]com

Read more: https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint