Inside DiceLoader: How FIN7’s Malware Masters Evasion

DiceLoader malware
Usage of IoCompletionPort (queue) in DiceLoader execution

Recently, security researchers from Sekoia TDR (Threat Detection & Research) have delved into the inner workings of DiceLoader malware, shedding light on its functionality, obfuscation techniques, and its role within FIN7’s operations.

Operating since at least 2015, FIN7 has consistently used DiceLoader as a downloader for more advanced and harmful payloads. This intrusion set, structured like a corporate business with Russian-speaking members, uses front companies to conceal their illicit activities, recruiting IT experts who may unwittingly participate in their malicious schemes.

The reach of FIN7’s activities is extensive, targeting various sectors including retail, hospitality, and the food service industry. Their operations span across geographical areas such as the United States, the United Kingdom, Australia, and France. This wide-ranging targeting emphasizes the adaptability and persistence of the group.

FIN7’s reach extends beyond its operations, with reported affiliations to other cybercriminal organizations such as REvil, Lockbit, Darkside, and BlackBasta.

DiceLoader boasts an extensive arsenal of custom malware, including loaders, ransomware, and backdoors. Notably, DiceLoader has been actively used since 2021, with the malware often delivered via a PowerShell script. This script employs specific obfuscation techniques unique to FIN7.

DiceLoader is a compact yet formidable malware, belonging to the downloader family. It employs multiple internal structures and obfuscation techniques to obfuscate its operations, making analysis challenging. Let’s take a closer look at its inner workings:

1. Loader Context: DiceLoader is typically dropped by a PowerShell script, alongside other malware components like Carbanak RAT. This loader is a DLL with a random entry point name, allowing it to inject itself into another process’s memory.

2. Data Structures: The malware initializes critical sections for thread context, creates an IoCompletionPort for inter-thread communication, and allocates linked lists to structure data in memory. These mechanisms are crucial for its functionality.

3. Threading and Io Completion Port: DiceLoader employs multiple threads, known as “consumers,” to process structured messages from the C2 server. These threads use IoCompletionPort for communication, ensuring efficient threading and minimal interaction with the host system.

Usage of IoCompletionPort (queue) in DiceLoader execution | Image: Sekoia

4. Linked Lists: Linked lists play a vital role in DiceLoader’s data manipulation. Four linked lists, namely L0, L1, L2, and L3, are used to manage various structures, including the fingerprint of the host, received payloads, and shellcode wrappers.

5. Obfuscation Methods: DiceLoader employs two obfuscation methods. The first is used to deobfuscate the C2 server’s configuration, while the second is applied to network communication. Both methods rely on XOR operations, making analysis and detection challenging.

6. Fingerprinting: To profile infected hosts uniquely, DiceLoader generates a fingerprint based on the MAC address, username, and computer name. This fingerprint is hashed and sent to the C2 server, facilitating targeted actions.

7. Networking: DiceLoader establishes raw TCP connections with its C2 server, enabling communication. The loader follows specific packet sequences for data exchange, relying on the IoCompletionPort for efficient communication.

8. Execution: DiceLoader specializes in executing malicious code, copying and deobfuscating shellcode in memory. The execution process is orchestrated meticulously, ensuring the execution of payloads to serve attackers’ objectives.

Since early 2022, Sekoia.io analysts have been actively tracking a C2 infrastructure associated with DiceLoader. This infrastructure has consistently maintained over 20 active servers, with approximately 50 active servers as of January 2023. The increasing number of active C2 servers suggests an escalation in malicious activities, possibly tied to FIN7 or other intrusion sets leveraging DiceLoader.

DiceLoader, an integral part of FIN7’s operations, showcases the group’s persistence and technical sophistication. Its use of obfuscation techniques, multiple data structures, and efficient networking mechanisms make it a formidable threat. Organizations and security experts must remain vigilant, continuously adapting to evolving threats like DiceLoader. As of January 2024, the malware remains active, underscoring the need for ongoing vigilance and research in the field of cybersecurity.