Malware
DiceLoader is a small malware loader used by FIN7 since 2021. It loads additional malware like banking trojans and ransomware onto compromised systems. It’s stealthy and obfuscated so it’s a great tool for attacks.
DiceLoader infects systems and downloads more malware, allowing attackers to do lots of bad stuff. It’s small and has complex internal structures so it evades detection and gets a foothold in the victim’s network. DiceLoader is usually delivered through phishing emails with malicious attachments or links which when opened executes a PowerShell script to install the malware.
Obfuscation and Evasion Techniques
To evade detection DiceLoader uses various obfuscation techniques like reflective code loading, dynamic API resolution, and non-standard encoding. These techniques make analysis harder and security solutions less effective. By hiding its actions DiceLoader can stay persistent in a system and have prolonged unauthorized access and data exfiltration.
Part of FIN7’s Arsenal
In FIN7’s arsenal, DiceLoader is a versatile module to deploy other malware like the Carbanak Remote Access Trojan (RAT). Its inclusion in FIN7’s arsenal shows the group’s flexibility and technical skills to conduct complex attacks across multiple sectors.
Use advanced email filtering to block phishing emails with malicious attachments or links.
Keep your endpoint security tools up to date to detect and block DiceLoader variants.
Patch your systems to fix vulnerabilities that can be exploited by DiceLoader.
Train your employees to recognize and avoid phishing.
