Conti News Decommissioned

June 28, 2022

Conti News Decommissioned

Industry: N/A | Level: Strategic | Source: BleepingComputer

Research first reported by AdvIntel on May 20th, 2022, the Conti ransomware gang’s shut down seems to be complete for now. The group’s Conti News negotiation site shut down, as identified by Threat Intel Analyst, Ido Cohen on Twitter, “After 28 days without any new victims, most of Conti #Ransomware infrastructure is down. This is the end? or a new start?” As mentioned by  Cohen, Conti may never be truly gone as the gang could resurge and is just opting to lay low. Additionally, members of Conti may move to other ransomware gangs or operate in different smaller cells. While Conti as a whole could have faded, for now, the threat the group present still remains in cyberspace.

Conti Group is Defunct

May 24, 2022

AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.

Conti & Its Subsidiary Group Blackbyte

May 24, 2022

Conti & Its Subsidiary Group Blackbyte

Industry: N/A | Level: Tactical | Source: AdvIntel

AdvIntel’s extensive research of the Conti ransomware group dives into its subsidiary group Blackbyte, which along with the data extortion group, Karakurt supports Conti’s operations. The relationship between Conti and Blackbyte was explored after reports of the NFL team San Francisco 49ers data breach on February 13th, 2022. Security news outlets pointed to Blackbyte as the perpetrator of the attack however, an investigation from AdvIntel identified the group was used “as a shell group to process the breach” with Conti as the true culprit of the attack. The breach of the 49ers’ network had begun on December 14th, 2021, with AdvIntel identifying a set of Cobalt Strike commands targeting the NFL team’s network. Identified from AdvIntel “the Conti team who began the operation against 49ers on December 14 were able to compromise the victim’s primary domain and get access to the local shares and core network segments for several departments, including the team’s finance and accounting sectors.” The Blackbyte-Conti alliance revealed a larger trend in the threat landscape of “sub-divisions,” groups created operating specifically in data exfiltration and doing so without the need for encryption. Conti has been identified by AdvIntel to also create alliances with other ransomware groups, including HelloKitty/FiveHands, Babuk, HiVE, BlackCat/ALPHV, and AvosLocker. Theorized for the future of ransomware groups, “As groups grow in size and scope, they will begin to spawn business derivatives to handle some of their smaller operations in return for assistance and resources. This, in turn, will allow those subgroups to grow independently of the larger group, before extenuating circumstances, such as sanctions, struggles for power, or impending dissolution of the parent collective eventually led them to split off and become their own threat entity.” Notable detection techniques for Blackbyte emphasized detections for Rclone, Cobalt Strike, Metasploit, and PowerShell commands.

Anvilogic Use Cases:

  • Rclone Execution
  • Cobalt Strike Beacon
  • Cobalt Strike style Shell invocation
  • Obfuscated Powershell Techniques
  • Encoded Powershell Command
  • Suspicious Executable by Powershell
  • Attrib.exe Metasploit File Dropper
  • PowerSploit Metasploit Payload

Conti’s Chats Leaked

March 01, 2022

Conti chats stored from a Jabber communication system were leaked by a Ukrainian security researcher, as reported by BleepingComputer.

Trickbot Mystery

March 01, 2022

Trickbot Mystery

Industry: N/A | Level: Strategic | Source: Intel471

Corresponding with AdvIntel’s reports of fading Trickbot activity, Intel471 also reports the noticeably dormant activity from the notorious malware, as no new Trickbot campaigns have been observed in the 2022 year. Tracking of Trickbot campaigns has only identified three during the month of December 2021 with the latest campaign occurring on December 28th, 2021. The activity from December is lower than the eight identified in November 2021. In addition, Intel471 observes a lack of updates to “onboard malware configuration files (mcconf), which contain a list of controller addresses the bot can connect to.” The drop in Trickbot activity is theorized to be due to a shift in operations in favor of Emotet. The lack of Trickbot activity is not a sign the malware operations are dead as its command and control infrastructure remains active. Associated malware to Trickbot such as Emotet, Bazar and Bokbot should be closely monitored especially as they are closely tied to ransomware deployments such as Conti.

Trickbot Fading and Conti Rises

February 22, 2022

Notorious malware, Trickbot appears to be losing relevance, seeming to be no longer as stealthy as it once was and Conti absorbing its key developers.

Conti & Log4Shell from AdvIntel

December 21, 2021

Conti & Log4Shell from AdvIntel

Industry: N/A | Level: Tactical | Source: AdvIntel

Continued vigilance on the threat landscape due to Log4Shell, has identified the Conti ransomware group showing signs of interest. A report from AdvIntel, detailed Conti had been deprived of new viable attack vectors since November, but had been searching for new methods. It wasn’t until the fallout of Log4Shell the ransomware group finally found what they’d been looking for. Multiple Conti members have been identified initiating scanning activity for the exploit. A recent quote from AdvIntel confirmed, “the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions.”

  • Anvilogic Scenarios:
    • Log4Shell Payload
    • Kinsing Behaviors
    • Unix File Download, Modified, Executed
  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • File Download (Unix)
    • Modify File Attributes

Why the Emotet Resurgence by AdvIntel

November 21, 2021

Why the Emotet Resurgence by AdvIntel

Industry: N/A | Level: Strategic | Source: AdvIntel

Researchers at AdvIntel observed November 14th, 2021, a resurgence of Emotet and postulates it being the result of, “unfulfilled loader commodity demand, decline of the decentralized RaaS (Ransomware-as-a-Service) model, and the return of the monopoly of organized crime syndicates such as Conti.” Based on AdvIntel’s intelligence tracking, the resurgence appears to have been initiated by a former Ryuk member who convinced a former Emotet operator to rebuild and set up the malware builder. Given the effectiveness of Emotet providing initial access, the prediction is a potential rise/dominance of Conti ransomware. All appear to be motivated by previous successes of an alliance between Emotet, TrickBot, and Ryuk in 2018.