May 24, 2022

Conti & Its Subsidiary Group Blackbyte

Industry: N/A | Level: Tactical | Source: AdvIntel

AdvIntel’s extensive research of the Conti ransomware group dives into its subsidiary group Blackbyte, which along with the data extortion group, Karakurt supports Conti’s operations. The relationship between Conti and Blackbyte was explored after reports of the NFL team San Francisco 49ers data breach on February 13th, 2022. Security news outlets pointed to Blackbyte as the perpetrator of the attack however, an investigation from AdvIntel identified the group was used “as a shell group to process the breach” with Conti as the true culprit of the attack. The breach of the 49ers’ network had begun on December 14th, 2021, with AdvIntel identifying a set of Cobalt Strike commands targeting the NFL team’s network. Identified from AdvIntel “the Conti team who began the operation against 49ers on December 14 were able to compromise the victim’s primary domain and get access to the local shares and core network segments for several departments, including the team’s finance and accounting sectors.” The Blackbyte-Conti alliance revealed a larger trend in the threat landscape of “sub-divisions,” groups created operating specifically in data exfiltration and doing so without the need for encryption. Conti has been identified by AdvIntel to also create alliances with other ransomware groups, including HelloKitty/FiveHands, Babuk, HiVE, BlackCat/ALPHV, and AvosLocker. Theorized for the future of ransomware groups, “As groups grow in size and scope, they will begin to spawn business derivatives to handle some of their smaller operations in return for assistance and resources. This, in turn, will allow those subgroups to grow independently of the larger group, before extenuating circumstances, such as sanctions, struggles for power, or impending dissolution of the parent collective eventually led them to split off and become their own threat entity.” Notable detection techniques for Blackbyte emphasized detections for Rclone, Cobalt Strike, Metasploit, and PowerShell commands.

Anvilogic Use Cases:

  • Rclone Execution
  • Cobalt Strike Beacon
  • Cobalt Strike style Shell invocation
  • Obfuscated Powershell Techniques
  • Encoded Powershell Command
  • Suspicious Executable by Powershell
  • Attrib.exe Metasploit File Dropper
  • PowerSploit Metasploit Payload