Threat Research

Stolen Images Campaign Ends in Conti Ransomware

Securonix

The Stolen Images campaign used IcedID as the initial access vector to drop Cobalt Strike beacons, leading to Conti ransomware deployment across a domain. The operation blended off-the-shelf remote-access tools (Atera, Splashtop), multiple Cobalt Strike servers, and domain-wide discovery to achieve persistence, credential access, and lateral movement before encryption. #StolenImageEvidence #ContiRansomware

Keypoints

  • The IcedID DLL was delivered via a “Stolen Image Evidence” email campaign, acting as the initial access vector.
  • A C2-capable chain followed: IcedID establishes a connection to C2, then a Cobalt Strike beacon is dropped for deeper infiltration and discovery.
  • Remote management tools (Atera Agent and Splashtop) were installed for persistence and remote access, including Gmail/Outlook accounts used for Atera registration.
  • On day 6–7, multiple Cobalt Strike servers and domain controller access enabled wide-scale lateral movement and privilege escalation.
  • Privilege escalation attempts targeted AD vulnerabilities (CVE-2021-42278/42287) to create privileged accounts; DNS lookups suggested SAMTHEADMIN-XX attempts.
  • Defenses were evaded by disabling Defender (PowerShell-based), process injection, and LSASS memory dumping for credential access.
  • The ransomware payload (x64.dll) was finally deployed across the network via SMB after initial failures, encrypting files and dropping a readme.txt ransom note.

MITRE Techniques

  • [T1566.002] Spearphishing Link – The threat actors delivered IcedID via a “Stolen Image Evidence” email campaign with links hosted on legitimate storage services; “The emails contain a link to a legitimate storage service”
  • [T1071.001] Web Protocols – IcedID/DLL established a connection to a C2 server to receive commands and later drop Cobalt Strike beacons; “a connection to a C2 server was established”
  • [T1053.005] Scheduled Task – A scheduled task was created on the beachhead host to execute IcedID payload every hour; “executed every one 1 hour”
  • [T1219] Remote Access Software – Threat actors dropped and installed Atera agent and used Splashtop for persistence and access; “Atera Agent” and “Splashtop” for persistence/remote access
  • [T1068] Exploitation for Privilege Escalation – Attempts to exploit CVE-2021-42278 and CVE-2021-42287 to create privileged accounts; “attempts to exploit Active Directory vulnerabilities CVE-2021-42278 and CVE-2021-42287”
  • [T1562.001] Impair Defenses – Defender disabled via base64 PowerShell command decoding to Set-MpPreference; “disable Windows Defender AV”
  • [T1055] Process Injection – Cobalt Strike beacon used CreateRemoteThread to inject into other processes; “process injections … CreateRemoteThread”
  • [T1003.001] LSASS Memory – LSASS memory was accessed to dump credentials; “LSASS memory to dump credentials”
  • [T1018] Active Directory Discovery – AdFind utility used to enumerate AD objects; “AdFind utility was employed to enumerate active directory objects (T1018)”
  • [T1083] File and Directory Discovery – Discovery of directory structures and lists during intrusion; “Filesystem discovery (T1083) was conducted”
  • [T1047] Windows Management Instrumentation – WMIC/CMD-based discovery and use of WMI-like tools; “WMIC and CMD … to perform discovery activity”
  • [T1049] Network Service Scanning – Ping-based network discovery used to check host existence; “net ping utility to check the existence of hosts on the network (T1049)”
  • [T1021.002] Remote Services (SMB/Windows Admin Shares) – Lateral movement via SMB/Windows Admin Shares to domain controllers and servers; “Lateral Movement … SMB to transfer Cobalt Strike DLLs onto a domain controller”
  • [T1053.005] Service Execution – Remote service creation to execute Cobalt Strike DLL on domain controllers; “remote service was created on the domain controller to execute the Cobalt Strike DLL”
  • [T1018] Active Directory Discovery (Domain Admins/Enterprise Admins) – NLTest/net group queries to locate sensitive groups; “look for sensitive groups such as Domain Admins and Enterprise Admins”
  • [T1036] Native API – Use of PowerView for domain discovery and privilege escalation scripting; “PowerView script Invoke-ShareFinder”
  • [T1036] Command and Scripting Interpreter: PowerShell – PowerShell-based commands for defense evasion and discovery; “PowerShell command …” (Set-MpPreference example)
  • [T1071.001] Web Protocols (Cobalt Strike over HTTP) – Cobalt Strike’s malleable C2 profile used; “Cobalt Strike malleable C2 profile”

Indicators of Compromise

  • [Domain] guguchrome.com, applesflying.com – hosted C2/initial access infrastructure; “guguchrome.com” and “applesflying.com” domains appear in IOC lists
  • [IP] 5.181.80.214:80, 5.181.80.113:443 – C2 endpoints and service ports
  • [Email] [email protected], [email protected] – Atera registration accounts used by operators
  • [File] data.dll, Edebef4.dll, x64.dll – ransomware payloads and loader components
  • [Hash] 21242d958caf225f76ad71a4d3a6d4d9 (MD5), 01a4c5ef0410b379fa83ac1a4132ba6f7b5814192dbdb87e9d7370e6256ea528 (SHA256) – sample components
  • [File] backup.bat – batch script used during ransomware deployment
  • [Domain] bunced.net, wayeyoy.com, cirite.com, shytur.com – additional C2 domains/hosts

Read more: https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/