TRU and BreakPoint Labs uncovered a Conti affiliate operating an automated Cobalt Strike infrastructure, exposing new domain names, IP addresses, and emails used for command-and-control. The findings link Conti operations to Trickbot, BazarLoader, IcedID, FiveHands/HelloKitty/DeathKitty, and ShadowBeacon incidents, illustrating a scalable, automated intrusion ecosystem. #Conti #CobaltStrike
Keypoints
- TRU and BreakPoint Labs identify a Conti affiliate leveraging automated Cobalt Strike infrastructure with rapid domain/certificate management and port/registerer patterns.
- Cobalt Strike’s Beacon backdoor, malleable C2, and artifact kit enable scalable, stealthy intrusions across multiple sectors.
- SonicWall exploits are used to deploy a Go variant of the FiveHands/HelloKitty/DeathKitty ransomware alongside Conti-related initial access actors.
- Initial access is tied to Shathak (TA551) phishing campaigns and TR botnet (TA577) activity, often delivering IcedID and other loaders.
- The ShadowBeacon incident demonstrates internal C2 via SMB traffic, PsExec-based deployment, and BYOVM tactics to pivot to external C2.
- Seven U.S. companies across financial, environmental, legal, and charitable sectors were targeted, highlighting diverse victimology.
- Infrastructure is highly automated and uses ProtonMail addresses and rapidly generated domains to maintain C2 resilience.
MITRE Techniques
- [T1566.001] Phishing – Phishing campaigns that typically utilize malicious documents. ‘phishing campaigns that typically utilize malicious documents’
- [T1190] Exploit Public-Facing Application – SonicWall exploits used to deploy a Go variant of the FiveHands/HelloKitty/DeathKitty ransomware. ‘SonicWall exploits to deploy a Go variant of the FiveHands/HelloKitty/DeathKitty ransomware’
- [T1021.001] Remote Services – Beacons deployed from domain controllers via PsExec, a legitimate administrator tool used for remotely executing binaries. ‘Beacons were deployed from the domain controllers via PsExec, a legitimate administrator tool used for remotely executing binaries’
- [T1071.001] Application Layer Protocol – Beacon will point back to an attacker – controlled Team Server. ‘Beacon will point back to an attacker – controlled Team Server’
- [T1095] Non-Application Layer Protocol – SMB Beacons use internal SMB traffic for its C2. ‘SMB Beacons, which utilize the organization’s internal SMB traffic for its C2’
- [T1087] Discovery – Discovery helps threat actors determine the kind of endpoint they’ve landed on. ‘Discovery helps threat actors determine the kind of endpoint they’ve landed on and what kind of accounts they can pivot too next.’
- [T1003] Credential Dumping – Mimikatz is a credential password stealer tool. ‘Mimikatz is a credential password stealer tool.’
- [T1570] Lateral Tool Transfer – Lateral Tool Transfer enables importing more intrusion tools from the attacker’s environment. ‘Lateral Tool Transfer – a technique that allows an active intruder to import more intrusion tools from their own environment to the victims’
- [T1059] Command and Scripting Interpreter – Aggressor Scripts automate intrusion workflows within Cobalt Strike. ‘Aggressor Scripts – It is a scripting framework… automate and customize the intrusion workflow’
Indicators of Compromise
- [Domain] Conti-affiliate C2 domains – firmwareupdater[.]com, aspdotnetpro[.]com, and 9 more domains
- [IP Address] Conti-affiliate C2 IPs – 46[.]21[.]153[.]52, 23[.]227[.]196[.]236, and 7 more IPs
- [Email Address] Registration emails – [email protected], [email protected], and 7 more addresses