Researchers reveal vicious DiceLoader, the corporate business-targeting malware

February 7, 2024
1 min read

TLDR:

  • An intrusion set called FIN7, composed of Russian-speaking members, has been using the DiceLoader malware to target corporate businesses in various industries and geographic locations.
  • DiceLoader is a small-sized malware that is dropped using a PowerShell script and has the capability to perform various malicious actions.
  • The malware uses obfuscation methods to hide its configuration and network communication, making it difficult to detect and analyze.
  • DiceLoader gathers system information from victims and sends it to a command and control server, allowing the attackers to identify and track their targets.

An intrusion set known as FIN7, made up of Russian-speaking members, has been discovered using a malware called DiceLoader to target corporate businesses. FIN7 has been active since 2015 and often poses as a company recruiting IT experts to carry out its illegal activities. This threat group primarily targets retail, hospitality, and food service industries in countries like the United States, the United Kingdom, Australia, and France. The group is also affiliated with other notorious threat actors, such as BlackBasta, Lockbit, Darkside, and REvil.

DiceLoader is part of the toolset arsenal used by FIN7, known as “Carbanak,” which includes various types of malware like loaders, ransomware, and backdoors. DiceLoader has been in use for a long time and is dropped onto victims’ systems using a PowerShell script with specific obfuscation. Despite its small size, the malware is capable of performing multiple malicious actions.

The main function of DiceLoader is to set up data structures and mechanisms for future executions. It creates empty linked lists to structure data in memory and starts multiple threads to receive, parse, and format incoming TCP packets from command and control (C2) servers. The malware utilizes obfuscation methods to hide its configuration and network communication. The first obfuscation method involves XOR operations, while the second method uses a more complex XOR obfuscation function.

DiceLoader also collects system information from victims, including the MAC address, username, and computer name, and generates a unique identifier by hashing this information. This fingerprint information is then sent to the C2 server. Researchers have created a fake Diceloader C2 for further investigation, allowing them to analyze the communication between the malware and the server.

In conclusion, the FIN7 threat group, composed of Russian-speaking members, has been using the DiceLoader malware to attack corporate businesses in various industries and geographic locations. DiceLoader is a small-sized malware that utilizes obfuscation methods to hide its configuration and network communication. It is capable of performing multiple malicious actions and gathers system information from victims to track and identify their targets.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and