ReversingLabs analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.
In this series, we break down some of the threats behind our YARA detection rules that can help your organization detect threats within your environment.
Minodo: A building block for multistage cybercrime
In order for cybercriminals to deliver the final blow to a target, oftentimes they will need multiple tools and various collaborators. Cybercrime groups often disband and reform into new factions, and criminals will rely on other factions in the cybercrime market to sell them tools for their malicious activities. What researchers over at IBM Security X-Force recently discovered is a perfect case study for this kind of cybercriminal activity.
X-Force’s team not only identified a never-before-seen malware backdoor, which they have dubbed Minodo, but they were also able to piece together the other malware families the Minodo backdoor works in conjunction with, as well as which cybercriminals are responsible for the various building blocks of this particular attack chain. Without Minodo, the cybercriminals in this case would not be able to successfully launch their final blow: The deployment of an information stealer (infostealer).
In this edition of From The Labs, we take a look at what Minodo is, where it came from, and how cybercriminals are using it to deliver other malware families.
How Minodo works
Based on X-Force’s findings, Minodo was created by developers associated with a syndicate group of the Conti ransomware gang (aka TrickBot). The group, dubbed by X-Force as ITG14 (aka FIN7), has been using the Minodo backdoor since at least February 2023 in a multi-part scheme to deliver an infostealer known as Project Nemesis. Researchers found that Minodo’s code overlaps with the Lizar (aka Tirion, Diceloader) malware family, which can also be attributed to FIN7. This is why researchers came to the conclusion that the Minodo code was created by current or former developers of FIN7.
In order to properly use the Minodo backdoor, members of the Conti syndicate use the Dave Loader to load Minodo. The Dave Loader is maintained and used by several gangs that have spawned from what’s left of the Conti/TrickBot gang, such as Quantum, Royal, and BlackBasta. Dave Loader is also commonly used by Conti’s syndicate groups to load other tools for malicious gain, such as Cobalt Strike, as well as Emotet for ransomware attacks.
X-Force’s research team identified that Dave Loader was being used to load the never-before-seen malware family they’ve dubbed Minodo Backdoor. In analyzing the backdoor, researchers found that it gathers basic system information on a targeted network, which it then sends to the C2, and in return receives the AES encrypted payload. Once this is complete, the backdoor then receives a second loader, which researchers at X-Force have dubbed “Minodo Loader,” which is then used to deliver the final blow: The Nemesis infostealer.
Nemesis then collects data from a target’s browsers and applications, making it a viable tool for cybercriminals looking to financially exploit targets or conduct espionage campaigns on them.
The prevalence and use of the Minodo backdoor in-the-wild demonstrates how the activities and livelihood of a cybercrime group can be a vicious cycle. As is the case with FIN7’s use of Minodo, previous members of the now defunct Conti ransomware gang joined newly founded syndicates, which just recycled and slightly modified their code in an effort to create new malicious tools under a new identity. The Minodo backdoor is a reminder of how cybercrime gangs do not just disappear after failing, but rather reinvent themselves in an effort to continue their malicious operations.
The Minodo backdoor also does not operate on its own. It is a part of a multi-tool scheme to deliver an infostealer attack onto a chosen target. This means that while Minodo itself does not deliver a malicious incident onto a target, it is still essential for threat hunters to detect it, since its use is meant for a greater, malicious purpose.
FIN7 to date has been known to target all kinds of high-profile industries, such as defense, transportation, retail and hospitality, financial services and more. Any organization in a critical infrastructure sector should be mindful of the Minodo backdoor, in an effort to prevent being targeted by Project Nemesis.
Since the Minodo backdoor is only used for malicious purposes, it is essential for security teams to identify it. ReversingLabs’ Minodo YARA rule is designed to detect this backdoor within your environment with high fidelity and almost no false-positives.
Download the Minodo YARA Rule here:
To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page. To learn more about how our threat analysts write these YARA rules, check out this blog post from ReversingLabs threat analyst Laura Dabelić.
ReversingLabs' team of analysts is constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware, or to schedule a demonstration.
- Yara Rules