Stolen Images Campaign Ends in Conti Ransomware

Upon execution of the IcedID DLL, a connection to a C2 server was established.
This was followed by the creation of a scheduled task on the beachhead host to establish persistence.
The task executed the IcedID payload every one 1 hour.
The IcedID malware then used Windows utilities such as net, chcp, nltest, and wmic, to perform discovery activity on the host.

After a gap of almost an hour, a Cobalt Strike beacon was dropped and executed on the beachhead host.
Soon after, another round of discovery was performed from the Cobalt Strike beacon focusing on the Windows domain.
Nltest and net group were utilized to look for sensitive groups such as Domain Admins and Enterprise Admins.
Process injection into explorer.exe was then observed from the Cobalt Strike Beacon.

The threat actors proceeded to install remote management tools such as Atera Agent and Splashtop.
Use of these 3rd party administrative tools allow the threat actors another “legitimate” means of persistence and access if they were to lose their malware connection.
In this intrusion, The DFIR Report observed usage of gmail[.]com and outlook[.]com email accounts for Atera agent registration.
Soon after, one of the injected Cobalt Strike processes accessed LSASS memory to dump credentials from the beachhead.

On the sixth day of the intrusion, the beachhead host saw new discovery activity with a quick nltest followed by the PowerView script Invoke-ShareFinder.
On the following day, the seventh day of the intrusion, the threat actors made their next move.
On that day, a new Cobalt Strike server was observed, in fact over the course of the intrusion, four different Cobalt Strike servers were used.
From the beachhead host, a DLL was transferred to a domain controller over SMB and then a remote service was created on the domain controller to execute the Cobalt Strike DLL.

After getting a foothold on the domain controller, The DFIR Report saw more process injection followed by the same pattern of installing Atera for additional persistent access.
From the domain controller, the threat actors proceeded with more discovery tasks including AdFind and Invoke-ShareFinder again.
After this, the threat actors went quiet.

On day nine of the intrusion, the next Cobalt Strike server, which would ultimately be used until the end of the intrusion, was observed for the first time.
On the tenth day, little activity was observed but the threat actors connected to the beachhead host via the Atera agent and executed another Cobalt Strike DLL.
A little discovery check-in was observed on the 14th day, but little else.

On the 19th day, the threat actors moved towards their final objectives.
They reviewed the directory structure of several hosts including domain controllers and backup servers.
They then dropped their final ransomware payload on the beachhead host and attempted to execute it using a batch file named backup.bat.
However, they found that their execution failed.

They left for a few hours, and then returned, and attempted to exploit a couple of CVE’s in an attempt to escalate privileges.
The threat actors had already secured domain admin access but it’s possible the operator may have thought they lacked permissions when their first ransomware execution failed.

While these exploits appear to have failed the threat actors found their previously captured domain admin credentials and launched two new Cobalt Strike beacons on the domain controllers.
Finally, twenty minutes after accessing the domain controllers, the threat actors dropped the ransomware DLL and the batch script and executed it from the domain controller.
This time the execution worked as intended and resulted in domain wide ransomware.

Sign Up For Threat Alerts

Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023


The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...

Threats Icon

Jan 24, 2023

Gamaredon Abuses Telegram To Target Ukrainian Government...

The Gamaredon APT group was discovered targeting Ukrainian government entities using the Telegram messaging service...

Threats Icon

Jan 23, 2023

NeedleDropper: A New Dropper-as-a-Service Uncovered

Avast's Threat Research Team has since October 2022 been observing a new strain of dropper...

Threats Icon

Jan 22, 2023

Aurora Stealer Leverages Shapeshifting Tactics And Popular...

A threat actor was discovered mimicking legitimate websites to host and deliver the 9002 RAT,...

Threats Icon

Jan 19, 2023

Earth Bogle Campaign Targets Entities With Geopolitical...

Middle Eastern geopolitical themed lures were used to distribute njRAT across the Middle East and...

Threats Icon

Jan 18, 2023

The NoName057(16) Hacktivist Group Targets Ukraine Supporters...

The NoName057(16) hacktivist group targeted multiple sectors across Ukraine and neighboring countries with DDoS attacks....

Threats Icon

Jan 17, 2023

Italy Targeted By Information Stealer Malware

An un-named information stealer was targeting end users in Italy through a phishing campaign using...

Threats Icon

Jan 15, 2023

The Australian healthcare industry was targeted by...

The Australian healthcare industry was targeted by the Gootkit loader malware; initial access was gained...

Threats Icon

Jan 11, 2023

Shc Linux Malware Used To Install XMRig...

External facing Linux servers in South Korea were targeted with a Shc (Shell Script Compiler)...

Threats Icon

Jan 11, 2023

Dridex Returns To Target MacOS With Updated...

Threat actors have been seen targeting Mac users with the Dridex malware. Although the malware...