Connect with us

Hi, what are you looking for?



Financially Motivated Hackers Use Leaked Conti Ransomware Techniques in Attacks

A series of financially motivated attacks are employing techniques observed in Conti ransomware playbooks that were leaked online in August 2021, Mandiant reports.

A series of financially motivated attacks are employing techniques observed in Conti ransomware playbooks that were leaked online in August 2021, Mandiant reports.

The attacks employ a multi-stage infection chain that starts with search engine optimization (SEO) poisoning and ends with the deployment of backdoors for stealthy access and information theft.

As part of the analyzed attacks, victims are lured to compromised websites and tricked into downloading malicious installers containing both legitimate software and the Batloader malware, which serves as the first stage of the infection chain.

Following Batloader’s execution, both malicious and legitimate tools are deployed onto the victim’s machine, including PowerShell, Msiexec.exe, and Mshta.exe, which allow attackers to avoid detection.

One variant of the attack resembles the exploitation of a Windows spoofing vulnerability patched in 2020 (CVE-2020-1599), where HTA-supported scripts are appended to PE files while the digital signature remains valid. The file runs the scripts if executed with Mshta.exe.

[READ: Zloader Banking Malware Exploits Microsoft Signature Verification]

The infection chain also involves the execution of legitimate tools such as Gpg4win Utility, Nsudo Utility, Atera, and SplashTop, which provide attackers with persistence, remote access, payload execution, and privilege escalation capabilities.

Advertisement. Scroll to continue reading.

The attackers were also observed deploying Cobalt Strike Beacon and the Ursnif backdoor to maintain access to the compromised systems and to harvest sensitive information, such as credentials.

In an alternate attack variant, the threat actor lures victims into installing the remote monitoring and management application Atera that has been renamed to an application the victim has searched for.

Next, the SplashTop tool and pre-configured scripts are installed onto the system, and the Atera agent removes itself from the machine. The downloaded scripts, however, make various changes to the computer, such as disabling functionality and tampering with Microsoft Defender’s exclusion lists.

According to Mandiant, some of the techniques used in these attacks overlap with those included in a series of documents, playbooks and tools that a disgruntled Conti affiliate leaked in August 2021. However, it’s yet unclear whether the Conti operators or other hackers are behind the attacks.

“At this time, due to the public release of this information, other unaffiliated actors may be replicating the techniques for their own motives and objectives. These victims seem to operate in a wide range of industries. The threat group’s motivations are currently unknown, but we suspect that the group is financially motivated based on the seemingly industry-agnostic nature leading to ransomware activity,” Mandiant concludes.

Related: Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution

Related: After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool to Arsenal

Related: Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...