Financially Motivated Hackers Use Leaked Conti Ransomware Techniques in Attacks

A series of financially motivated attacks are employing techniques observed in Conti ransomware playbooks that were leaked online in August 2021, Mandiant reports.

The attacks employ a multi-stage infection chain that starts with search engine optimization (SEO) poisoning and ends with the deployment of backdoors for stealthy access and information theft.

As part of the analyzed attacks, victims are lured to compromised websites and tricked into downloading malicious installers containing both legitimate software and the Batloader malware, which serves as the first stage of the infection chain.

Following Batloader’s execution, both malicious and legitimate tools are deployed onto the victim’s machine, including PowerShell, Msiexec.exe, and Mshta.exe, which allow attackers to avoid detection.

One variant of the attack resembles the exploitation of a Windows spoofing vulnerability patched in 2020 (CVE-2020-1599), where HTA-supported scripts are appended to PE files while the digital signature remains valid. The file runs the scripts if executed with Mshta.exe.

[READ: Zloader Banking Malware Exploits Microsoft Signature Verification]

The infection chain also involves the execution of legitimate tools such as Gpg4win Utility, Nsudo Utility, Atera, and SplashTop, which provide attackers with persistence, remote access, payload execution, and privilege escalation capabilities.

The attackers were also observed deploying Cobalt Strike Beacon and the Ursnif backdoor to maintain access to the compromised systems and to harvest sensitive information, such as credentials.

In an alternate attack variant, the threat actor lures victims into installing the remote monitoring and management application Atera that has been renamed to an application the victim has searched for.

Next, the SplashTop tool and pre-configured scripts are installed onto the system, and the Atera agent removes itself from the machine. The downloaded scripts, however, make various changes to the computer, such as disabling functionality and tampering with Microsoft Defender’s exclusion lists.

According to Mandiant, some of the techniques used in these attacks overlap with those included in a series of documents, playbooks and tools that a disgruntled Conti affiliate leaked in August 2021. However, it’s yet unclear whether the Conti operators or other hackers are behind the attacks.

“At this time, due to the public release of this information, other unaffiliated actors may be replicating the techniques for their own motives and objectives. These victims seem to operate in a wide range of industries. The threat group’s motivations are currently unknown, but we suspect that the group is financially motivated based on the seemingly industry-agnostic nature leading to ransomware activity,” Mandiant concludes.

Related: Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution

Related: After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool to Arsenal

Related: Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability