CONTI Ransomware distributed by Bazzar Loader

It is now apparent to the information security community that intrusions starting with BazarLoader frequently end with Conti ransomware.
This case saw such a conclusion.
There are some evident similarities in cases that involve Conti ransomware.
Ransomware operators’ tooling and overall tasks performed tend to match across the cluster.
When we look at our earlier Conti case, this becomes noticeable.
This could be due to the widely circulated Conti manual that was leaked by an affiliate.
In this case, we saw the same pattern of events with tools like net, nltest, ShareFinder for discovery, Cobalt Strike for C2, and WMIC remote process creation for expanding their access within the network.

Even though the intrusion lasted for five days total, Cobalt Strike and hands-on keyboard operators showed up in the first two hours of the intrusion.
Straight away, they started gathering information to get the lay of the land using Net commands.
Then they continued looking for open shares by executing the PowerView module, Invoke-ShareFinder.

After collecting and dissecting the results from ShareFinder, they appeared to have a good understanding of the server and workstation layout of the organization as they started executing commands to gather information from specific, high-value servers.
During that time, we saw errors when operators failed to alter specific parameters that indicate the operator is acting from a pre-defined playbook.
They eventually decided to pivot laterally to a server using WMIC to execute a DLL Cobalt Strike beacon.

Once they had access to the remote server via the Cobalt Strike beacon, they re-ran Invoke-ShareFinder and then exfiltrated data of interest from a different server using the Rclone application via the MEGA cloud storage service.

On the second day, the threat actors used RDP to access the backup server and in doing so, reviewed the backup settings, and running processes on the server via the taskmanager GUI.

On day four, the threat actors returned and ran another round of exfiltration using Rclone and MEGA again.

On the fifth day, they moved fast towards their final objective, which was Conti ransomware.
Before executing Conti, they used RDP to install and configure the AnyDesk remote desktop application.
Having GUI access, they attempted to use ProcessHacker to dump the LSASS process. After this last step, they deployed Conti ransomware via a batch script to all domain joined systems.

Sign Up For Threat Alerts

Loading...
Threats Icon

Aug 08, 2022

BumbleBee Roasts Its Way to Domain Admin

Threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that...

Threats Icon

Aug 08, 2022

RapperBot – new evolving malware

FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...

Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...

Threats Icon

Jul 24, 2022

Redeemer Ransomware

Redeemer 2.0 Being Distributed Via Affiliate Program Cyble Research Labs has constantly been tracking emerging...

Threats Icon

Jul 21, 2022

Cobalt Strikes again: UAC-0056 continues to target...

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that...

Threats Icon

Jul 20, 2022

Trello From the Other Side: APT29 Phishing...

Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic...

Threats Icon

Jul 18, 2022

New OrBit Linux Malware That Hijacks Execution...

New and entirely undetected Linux threat dubbed OrBit, signally a growing trend of malware attacks...

Threats Icon

Jul 18, 2022

North Korean threat actor targets small and...

A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks...