Conti & Its Subsidiary Group Blackbyte

May 24, 2022

Conti & Its Subsidiary Group Blackbyte

Industry: N/A | Level: Tactical | Source: AdvIntel

AdvIntel’s extensive research of the Conti ransomware group dives into its subsidiary group Blackbyte, which along with the data extortion group, Karakurt supports Conti’s operations. The relationship between Conti and Blackbyte was explored after reports of the NFL team San Francisco 49ers data breach on February 13th, 2022. Security news outlets pointed to Blackbyte as the perpetrator of the attack however, an investigation from AdvIntel identified the group was used “as a shell group to process the breach” with Conti as the true culprit of the attack. The breach of the 49ers’ network had begun on December 14th, 2021, with AdvIntel identifying a set of Cobalt Strike commands targeting the NFL team’s network. Identified from AdvIntel “the Conti team who began the operation against 49ers on December 14 were able to compromise the victim’s primary domain and get access to the local shares and core network segments for several departments, including the team’s finance and accounting sectors.” The Blackbyte-Conti alliance revealed a larger trend in the threat landscape of “sub-divisions,” groups created operating specifically in data exfiltration and doing so without the need for encryption. Conti has been identified by AdvIntel to also create alliances with other ransomware groups, including HelloKitty/FiveHands, Babuk, HiVE, BlackCat/ALPHV, and AvosLocker. Theorized for the future of ransomware groups, “As groups grow in size and scope, they will begin to spawn business derivatives to handle some of their smaller operations in return for assistance and resources. This, in turn, will allow those subgroups to grow independently of the larger group, before extenuating circumstances, such as sanctions, struggles for power, or impending dissolution of the parent collective eventually led them to split off and become their own threat entity.” Notable detection techniques for Blackbyte emphasized detections for Rclone, Cobalt Strike, Metasploit, and PowerShell commands.

Anvilogic Use Cases:

  • Rclone Execution
  • Cobalt Strike Beacon
  • Cobalt Strike style Shell invocation
  • Obfuscated Powershell Techniques
  • Encoded Powershell Command
  • Suspicious Executable by Powershell
  • Attrib.exe Metasploit File Dropper
  • PowerSploit Metasploit Payload

Windows Event Logs Abused for Malware

May 10, 2022

Windows Event Logs Abused for Malware

Industry: N/A | Level: Tactical | Source: Kaspersky

In February 2022, Kaspersky observed a new stealthy attack technique planting malware in Windows event logs, used by an unattributed threat actor. The threat actor initiated a sophisticated and targeted attack, employing many custom and commercially available tools. The initial infection appeared to have begun in September 2021, with the target lured into downloading a compressed archive file housing offensive tools including Cobalt Strike and Silent Break. The actor injected into various programs “Windows system processes or trusted applications.” Following injection, the drop of OS error program WerFault.exe is made to directory C:\Windows\Tasks, along with a encrypted dll dropper ‘wer.dll’ for search order hijacking and persistence is established through an autorun registry key entry. Shellcode written in Windows event logs is searched by the dll dropper, “The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter). Created event IDs are automatically incremented, starting from 1423.” The campaign has been correlated with no other threat actor and as attribution remains undetermined, the activity is tracked as SilentBreak

  • Anvilogic Use Cases:
    • Compressed File Execution
    • New AutoRun Registry Key
    • Rare Remote Thread

Tricks from SocGholish and Zloader

May 03, 2022

In the latest report by Cybereason, tracking of malware activity from SocGholish and Zloader has detailed the malware’s capabilities and infection tactics. SocGholish is named (partially) due to its social engineering tactics to lure victims with drive-by-downloads, often themed as critical browser updates.

Hive Ransomware Attack Analysis

April 26, 2022

The Varonis Forensics Team has provided an investigation from an incident involving Hive ransomware, spanning under 72 hours to execute. The initial attack began by exploiting the Exchange Proxyshell vulnerability to load a webshell on the Exchange server.

eSentire Conti Leaks Analysis

April 05, 2022

eSentire Conti Leaks Analysis

Industry: N/A | Level: Tactical | Source: eSentire

eSentire’s Threat Response Unit (TRU) dove into Conti intrusion procedures sharing detection tactics from the group’s 2021 and 2022 data leaks containing operation manuals and chat logs. The ransomware group’s chat logs, from the recent February 2022 data leak, often reference the usage of manuals that assist Conti operators to carry out their operations. The ransomware gang operates with a clear structure, involving a management chain, organized personnel with roles and responsibilities and training programs. The reference materials help to ensure Conti operators initiate their threat activity with consistency and efficiency. Analysis of the tools identified the reliance on many known tools and techniques including AdFind, Cobalt Strike, Mimikatz, Powerview, 7zip, AnyDesk, Rubeus, Rclone and native living off the land binaries (LOLBins).

  • Anvilogic Scenario: ZeroLogon Compromise
  • Anvilogic Use Cases:
    • Adfind Commands
    • Adfind Execution
    • Common Reconnaissance Commands
    • Cobalt Strike Beacon
    • Cobalt Strike style Shell invocation
    • Create/Add Local/Domain User
    • Locate Credentials
    • Mimikatz
    • Modify Group Policy
    • Native Archive Commands
    • Potential Web Shell
    • Registry key added with reg.exe
    • Rclone Execution

Wizard Spider’s Naver Phishing Campaign

March 22, 2022

Wizard Spider’s Naver Phishing Campaign

Industry: N/A | Level: Tactical | Source: Prevailion

Analysis of a large-scale phishing campaign was observed by Prevailion’s Adversarial Counterintelligence Team (PACT), took place in late January 2022, with the goal to collect Naver credentials. Naver services are operated in South Korea, providing a variety of services for search, email, news, etc. and is a comparable service to  Google and Yahoo. From investigating the threat campaign’s infrastructure, an overlap was identified with threat group “WIZARD SPIDER [a.k.a. TrickBot] infrastructure.” The infrastructure used is very large as from PACT’s review “542 unique domains had been identified as part of this malicious cluster of web infrastructure, 532 of which were assessed with high confidence to be part of the ongoing phishing campaign targeting Naver logins; the oldest domain identified by PACT was registered in August of 2021, other registrations are as recent as February of 2022.” A particular phishing domain has a strong association to TrickBot, as the IP used for the Naver phishing campaign was also tied to a Cobalt Strike beacon sample that had been analyzed on VirusTotal. The Cobalt Strike sample was used in a threat campaign that abused CVE-2021-40444 to ultimately deploy Conti ransomware.

  • Anvilogic Use Case: Malicious Document Execution

Threat Group Delivers Cobalt Strike Through AV Updates

March 18, 2022

March 14th, 2022: Threat Group Delivers Cobalt Strike Through AV Updates

Industry: Critical Infrastructure | Level: Strategic | Source: BleepingComputer

The Ukrainian Computer Emergency Response Team alerted users to a phishing campaign impersonating the Ukrainian government. The campaign prompts potential victims into downloading fraudulent “critical security updates” to ultimately deliver a Cobalt Strike beacon. The alerted activity has been observed by the MalwareHunterTeam and is reported by BleepingComputer. The phishing email contains a malicious link that downloads a executable masquerading as “itdefenderWindowsUpdatePackage.exe” and when executed, prompts itself to “installing the Windows update package” however, if installed the user actually downloads a Cobalt Strike beacon from Discord. Additional backdoors are dropped on the victim host, establishing persistence, conducting reconnaissance and command execution to achieve the threat actor’s objective. The Ukrainian Computer Emergency Response Team attributed this threat activity with medium confidence to the Russian threat group, UAC-0056/Lorec53.

CISA Update on Conti Ransomware

March 15, 2022

CISA Update on Conti Ransomware

Industry: N/A | Level: Tactical | Source: CISA

The Cybersecurity & Infrastructure Security Agency (CISA), updates alert AA21-265A, tracking Conti ransomware providing new indicators of compromise (IOC) associated with the group. The most prevalent attack vectors, the agency warns for Conti, include the use of Trickbot and Cobalt Stike. The Conti Group has impacted over 1,000 organizations against the U.S and internationally. A variety of techniques has been observed by the ransomware group, with initial access obtained typically through phishing emails or stolen accounts. A variety of post-compromise techniques are provided by CISA including RDP brute force attack, Kerberos attacks, running discovery command to enumerate the network, spread via SMB, stop services and deleting shadow copies.

  • Anvilogic Use Cases:
    • RDP Brute-force Detection
    • Kerberos RC4 Encrypted Tickets
    • Common Reconnaissance Commands
    • Windows Share Multiple File Access
    • Service Stop Commands
    • Inhibit System Recovery Commands

BazarLoader Malware Leverages Contact Forms

March 15, 2022

BazarLoader Malware Leverages Contact Forms

Industry: N/A | Level: Tactical | Source: AbnormalSecurity

Abnormal Security has observed, BazarLoader to be incorporating online contact forms in its communication and distribution tactic. This recent campaign occurred between December 2021 to January 2022, in which threat actors would pose as a prospective customer looking to obtain a product supply quote. As the communication would appear genuine, the targeted company would typically follow-up the inquiry by initiating an email to which the attacker would respond by providing a link to download a malicious file using file sharing services such as TransferNow and WeTransfer. If downloaded, files for a .iso and .log would be dropped on the victim’s workstation. The ISO file is actually a .lnk shortcut file and the .log file is the malicious BazarLoader DLL file. The shortcut file if executed calls regsvr32.exe to run the DLL file in disguise which conducts process injection into svchost.exe. Further analysis of the campaign could not be completed as the command and control (C2) infrastructure was down. The threat actor’s objective is likely to be using BazarLoader to deploy Conti ransomware or Cobalt Strike.

  • Anvilogic Use Cases:
    • Symbolic OR Hard File Link Created
    • regsvr32 Execution

APT29/Nobelium Targets Embassies

March 01, 2022

APT29/Nobelium Targets Embassies

Industry: Government | Level: Tactical | Source: Fortinet

Research from FortiGuard has identified threat actor group, APT29/Nobelium/Cozy Bear to be targeting embassies as an observed email impersonating the “Embassy of the Republic of Turkey.” Analysis of the email’s malicious HTML attachment uncovers a malicious JavaScript, which creates an ISO file requiring the user to execute the ISO file. A shortcut pointing to a malicious DLL file is executed for Cobalt Strike. This tactic is likely conducted to monitor activity in embassies to assist in Russian operations.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Rundll32 Command Line
    • Suspicious File written to Disk