Conti Group – Indicators of Compromise
Since the end of February, we have seen news about Conti Group including leaked information and which included detailed operations and continued association with Emotet and Cobalt Strike. We continue to observe consistent network communication between Emotet Command and Control (C2) servers and numerous auto manufacturing companies. These Emotet servers are suspected to be controlled by the Conti ransomware group.”
Technical Details
Conti is considered a ransomware-as-a-service (RaaS) model however we reason to believe they pay or contribute initial infection payloads. This allows Conti to receive a share of the proceeds from a successful attack and also may persuade the targets affiliate group’s attack.
Initial Access
- Spearphishing campaigns using tailored emails that contain malicious attachments
- Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware
- TrickBot and IcedID, and/or Cobalt Strike are used to establish foothold within the environment
- Stolen or weak Remote Desktop Protocol (RDP) credentials
- Common vulnerabilities in external assets.
CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Additionally, actors use Kerberos attacks to attempt to get the Admin hash to conduct brute force attacks.
Vulnerability
According to a recently leaked threat actor “playbook,” Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges
- 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities; [7]
- “PrintNightmare” vulnerability (CVE-2021-34527) in Windows Print spooler [8] service; and
- “Zerologon” vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems.[9]
Persistence
Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence. The threat actors use tools already available on the network like Sysinternals, PSEXEC, mimikatz to obtain user hashes and clear text passwords. This will enable actors to escalate privileges within a domain and ultimately get the keys to the kingdom.
I have been involved in many ransomware cases over the last 12 months and seen the use of various remote management tools from N-Able, Splashtop, Teamviewer, Screenconnect and in some cases actors use trick bot malware to carry out post-exploitation tasks.
Indicators of Compromise
| created_at | entity_type | updated_at | value | description |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 82[.]202[.]192[.]66 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 67[.]205[.]162[.]68 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 188[.]241[.]120[.]42 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 185[.]9[.]18[.]154 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 178[.]128[.]83[.]165 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 162[.]243[.]175[.]63 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 159[.]65[.]1[.]71 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 134[.]209[.]156[.]68 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 159[.]89[.]230[.]105 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 45[.]184[.]36[.]10 | Emotet C2 |
| 2022-03-18T17:45:07.921Z | IPv4-Addr | 2022-03-18T17:45:08.006Z | 82[.]118[.]21[.]1 | Emotet C2 |
| 2022-03-18T17:45:07.433Z | IPv4-Addr | 2022-03-18T17:45:07.516Z | 185[.]141[.]63[.]120 | Emotet C2 |
| 2022-03-18T17:45:04.811Z | IPv4-Addr | 2022-03-18T17:45:04.901Z | 162[.]244[.]80[.]235 | Emotet C2 |
| created_at | entity_type | updated_at | value | description |
| 2022-03-18T17:45:23.131Z | Domain-Name | 2022-03-18T17:45:23.195Z | suhuhow[.]com | malicious domain |
| 2022-03-18T17:45:22.832Z | Domain-Name | 2022-03-18T17:45:22.903Z | mihojip[.]com | malicious domain |
| 2022-03-18T17:45:22.540Z | Domain-Name | 2022-03-18T17:45:22.608Z | hewecas[.]com | malicious domain |
| 2022-03-18T17:45:22.224Z | Domain-Name | 2022-03-18T17:45:22.338Z | balacif[.]com | malicious domain |
| 2022-03-18T17:45:21.951Z | Domain-Name | 2022-03-18T17:45:22.021Z | nagahox[.]com | malicious domain |
| 2022-03-18T17:45:21.785Z | Domain-Name | 2022-03-18T17:45:21.826Z | wuvehus[.]com | malicious domain |
| 2022-03-18T17:45:21.565Z | Domain-Name | 2022-03-18T17:45:21.645Z | codasal[.]com | malicious domain |
| 2022-03-18T17:45:21.195Z | Domain-Name | 2022-03-18T17:45:21.335Z | xekezix[.]com | malicious domain |
| 2022-03-18T17:45:20.998Z | Domain-Name | 2022-03-18T17:45:21.040Z | kirute[.]com | malicious domain |
| 2022-03-18T17:45:20.803Z | Domain-Name | 2022-03-18T17:45:20.868Z | sufebul[.]com | malicious domain |
| 2022-03-18T17:45:20.527Z | Domain-Name | 2022-03-18T17:45:20.572Z | fulujam[.]com | malicious domain |
| 2022-03-18T17:45:20.303Z | Domain-Name | 2022-03-18T17:45:20.356Z | kozoheh[.]com | malicious domain |
| 2022-03-18T17:45:20.062Z | Domain-Name | 2022-03-18T17:45:20.116Z | vafici[.]com | malicious domain |
| 2022-03-18T17:45:19.796Z | Domain-Name | 2022-03-18T17:45:19.885Z | solobiv[.]com | malicious domain |
| 2022-03-18T17:45:19.567Z | Domain-Name | 2022-03-18T17:45:19.632Z | ragojel[.]com | malicious domain |
| 2022-03-18T17:45:19.365Z | Domain-Name | 2022-03-18T17:45:19.450Z | modasum[.]com | malicious domain |
| 2022-03-18T17:45:19.066Z | Domain-Name | 2022-03-18T17:45:19.167Z | sujaxa[.]com | malicious domain |
| 2022-03-18T17:45:18.787Z | Domain-Name | 2022-03-18T17:45:18.825Z | guvafe[.]com | malicious domain |
| 2022-03-18T17:45:18.494Z | Domain-Name | 2022-03-18T17:45:18.570Z | dohigu[.]com | malicious domain |
| 2022-03-18T17:45:18.263Z | Domain-Name | 2022-03-18T17:45:18.345Z | kipitep[.]com | malicious domain |
| 2022-03-18T17:45:17.809Z | Domain-Name | 2022-03-18T17:45:17.914Z | dubacaj[.]com | malicious domain |
| 2022-03-18T17:45:17.459Z | Domain-Name | 2022-03-18T17:45:17.581Z | fofudir[.]com | malicious domain |
| 2022-03-18T17:45:17.177Z | Domain-Name | 2022-03-18T17:45:17.243Z | dawasab[.]com | malicious domain |
| 2022-03-18T17:45:16.955Z | Domain-Name | 2022-03-18T17:45:17.002Z | wuvidi[.]com | malicious domain |
| 2022-03-18T17:45:16.699Z | Domain-Name | 2022-03-18T17:45:16.824Z | nawusem[.]com | malicious domain |
| 2022-03-18T17:45:16.353Z | Domain-Name | 2022-03-18T17:45:16.432Z | wuvici[.]com | malicious domain |
| 2022-03-18T17:45:15.941Z | Domain-Name | 2022-03-18T17:45:16.010Z | kuxizi[.]com | malicious domain |
| 2022-03-18T17:45:15.696Z | Domain-Name | 2022-03-18T17:45:15.731Z | bimafu[.]com | malicious domain |
| 2022-03-18T17:45:15.360Z | Domain-Name | 2022-03-18T17:45:15.499Z | vegubu[.]com | malicious domain |
| 2022-03-18T17:45:15.089Z | Domain-Name | 2022-03-18T17:45:15.157Z | cilomum[.]com | malicious domain |
| 2022-03-18T17:45:14.840Z | Domain-Name | 2022-03-18T17:45:14.915Z | kidukes[.]com | malicious domain |
| 2022-03-18T17:45:14.658Z | Domain-Name | 2022-03-18T17:45:14.716Z | fipoleb[.]com | malicious domain |
| 2022-03-18T17:45:14.365Z | Domain-Name | 2022-03-18T17:45:14.449Z | kogasiv[.]com | malicious domain |
| 2022-03-18T17:45:14.191Z | Domain-Name | 2022-03-18T17:45:14.235Z | xegogiv[.]com | malicious domain |
| 2022-03-18T17:45:13.848Z | Domain-Name | 2022-03-18T17:45:13.922Z | bupula[.]com | malicious domain |
| 2022-03-18T17:45:13.628Z | Domain-Name | 2022-03-18T17:45:13.665Z | lipozi[.]com | malicious domain |
| 2022-03-18T17:45:13.325Z | Domain-Name | 2022-03-18T17:45:13.418Z | hepide[.]com | malicious domain |
| 2022-03-18T17:45:13.028Z | Domain-Name | 2022-03-18T17:45:13.087Z | vonavu[.]com | malicious domain |
| 2022-03-18T17:45:12.794Z | Domain-Name | 2022-03-18T17:45:12.874Z | rimurik[.]com | malicious domain |
| 2022-03-18T17:45:12.515Z | Domain-Name | 2022-03-18T17:45:12.591Z | nerapo[.]com | malicious domain |
| 2022-03-18T17:45:12.147Z | Domain-Name | 2022-03-18T17:45:12.236Z | bujoke[.]com | malicious domain |
| 2022-03-18T17:45:11.696Z | Domain-Name | 2022-03-18T17:45:11.762Z | vipeced[.]com | malicious domain |
| 2022-03-18T17:45:11.440Z | Domain-Name | 2022-03-18T17:45:11.535Z | tubaho[.]com | malicious domain |
| 2022-03-18T17:45:11.079Z | Domain-Name | 2022-03-18T17:45:11.189Z | radezig[.]com | malicious domain |
| 2022-03-18T17:45:10.705Z | Domain-Name | 2022-03-18T17:45:10.743Z | kuyeguh[.]com | malicious domain |
| 2022-03-18T17:45:10.351Z | Domain-Name | 2022-03-18T17:45:10.457Z | bumoyez[.]com | malicious domain |
| 2022-03-18T17:45:09.982Z | Domain-Name | 2022-03-18T17:45:10.066Z | tifiru[.]com | malicious domain |
| 2022-03-18T17:45:09.602Z | Domain-Name | 2022-03-18T17:45:09.754Z | wezeriw[.]com | malicious domain |
| 2022-03-18T17:45:08.833Z | Domain-Name | 2022-03-18T17:45:08.887Z | tepiwo[.]com | malicious domain |
| 2022-03-18T17:45:08.486Z | Domain-Name | 2022-03-18T17:45:08.581Z | vigave[.]com | malicious domain |
| 2022-03-18T17:45:08.165Z | Domain-Name | 2022-03-18T17:45:08.229Z | moduwoj[.]com | malicious domain |
| 2022-03-18T17:45:07.012Z | Domain-Name | 2022-03-18T17:45:07.067Z | kelowuh[.]com | malicious domain |
| 2022-03-18T17:45:06.765Z | Domain-Name | 2022-03-18T17:45:06.860Z | ganobaz[.]com | malicious domain |
| 2022-03-18T17:45:06.406Z | Domain-Name | 2022-03-18T17:45:06.540Z | cajeti[.]com | malicious domain |
| 2022-03-18T17:45:05.993Z | Domain-Name | 2022-03-18T17:45:06.127Z | pazovet[.]com | malicious domain |
| 2022-03-18T17:45:05.324Z | Domain-Name | 2022-03-18T17:45:05.413Z | rexagi[.]com | malicious domain |
| 2022-03-18T17:45:04.513Z | Domain-Name | 2022-03-18T17:45:04.622Z | jegufe[.]com | malicious domain |
| 2022-03-18T17:45:04.194Z | Domain-Name | 2022-03-18T17:45:04.260Z | barovur[.]com | malicious domain |
| 2022-03-18T17:45:03.604Z | Domain-Name | 2022-03-18T17:45:03.828Z | dihata[.]com | malicious domain |
| 2022-03-18T17:45:03.189Z | Domain-Name | 2022-03-18T17:45:03.301Z | hesovaw[.]com | malicious domain |
| 2022-03-18T17:45:02.761Z | Domain-Name | 2022-03-18T17:45:02.841Z | buloxo[.]com | malicious domain |
| 2022-03-18T17:45:02.043Z | Domain-Name | 2022-03-18T17:45:02.280Z | vojefe[.]com | malicious domain |
| 2022-03-18T17:45:01.553Z | Domain-Name | 2022-03-18T17:45:01.644Z | paxobuy[.]com | malicious domain |
| 2022-03-18T17:45:01.320Z | Domain-Name | 2022-03-18T17:45:01.377Z | badiwaw[.]com | malicious domain |
| 2022-03-18T17:45:01.128Z | Domain-Name | 2022-03-18T17:45:01.180Z | fecotis[.]com | malicious domain |
| 2022-03-18T17:45:00.939Z | Domain-Name | 2022-03-18T17:45:00.989Z | jecubat[.]com | malicious domain |
| 2022-03-18T17:45:00.632Z | Domain-Name | 2022-03-18T17:45:00.743Z | pihafi[.]com | malicious domain |
| 2022-03-18T17:45:00.458Z | Domain-Name | 2022-03-18T17:45:00.499Z | pofifa[.]com | malicious domain |
| 2022-03-18T17:45:00.259Z | Domain-Name | 2022-03-18T17:45:00.291Z | hejalij[.]com | malicious domain |
| 2022-03-18T17:44:59.981Z | Domain-Name | 2022-03-18T17:45:00.045Z | tiyuzub[.]com | malicious domain |
| 2022-03-18T17:44:59.816Z | Domain-Name | 2022-03-18T17:44:59.856Z | movufa[.]com | malicious domain |
| 2022-03-18T17:44:59.616Z | Domain-Name | 2022-03-18T17:44:59.651Z | vizosi[.]com | malicious domain |
| 2022-03-18T17:44:59.364Z | Domain-Name | 2022-03-18T17:44:59.459Z | pipipub[.]com | malicious domain |
| 2022-03-18T17:44:59.107Z | Domain-Name | 2022-03-18T17:44:59.177Z | raferif[.]com | malicious domain |
| 2022-03-18T17:44:58.906Z | Domain-Name | 2022-03-18T17:44:58.951Z | gerepa[.]com | malicious domain |
| 2022-03-18T17:44:58.658Z | Domain-Name | 2022-03-18T17:44:58.724Z | mebonux[.]com | malicious domain |
| 2022-03-18T17:44:58.505Z | Domain-Name | 2022-03-18T17:44:58.543Z | rinutov[.]com | malicious domain |
| 2022-03-18T17:44:58.357Z | Domain-Name | 2022-03-18T17:44:58.388Z | wudepen[.]com | malicious domain |
| 2022-03-18T17:44:58.154Z | Domain-Name | 2022-03-18T17:44:58.196Z | tafobi[.]com | malicious domain |
| 2022-03-18T17:44:57.676Z | Domain-Name | 2022-03-18T17:44:57.769Z | pilagop[.]com | malicious domain |
| 2022-03-18T17:44:57.518Z | Domain-Name | 2022-03-18T17:44:57.546Z | masaxoc[.]com | malicious domain |
| 2022-03-18T17:44:57.360Z | Domain-Name | 2022-03-18T17:44:57.401Z | lujecuk[.]com | malicious domain |
| 2022-03-18T17:44:57.176Z | Domain-Name | 2022-03-18T17:44:57.216Z | hakakor[.]com | malicious domain |
| 2022-03-18T17:44:56.962Z | Domain-Name | 2022-03-18T17:44:57.012Z | basisem[.]com | malicious domain |
| 2022-03-18T17:44:56.741Z | Domain-Name | 2022-03-18T17:44:56.779Z | sidevot[.]com | malicious domain |
| 2022-03-18T17:44:56.592Z | Domain-Name | 2022-03-18T17:44:56.629Z | rusoti[.]com | malicious domain |
| 2022-03-18T17:44:56.433Z | Domain-Name | 2022-03-18T17:44:56.467Z | derotin[.]com | malicious domain |
| 2022-03-18T17:44:56.246Z | Domain-Name | 2022-03-18T17:44:56.302Z | gucunug[.]com | malicious domain |
| 2022-03-18T17:44:55.804Z | Domain-Name | 2022-03-18T17:44:55.843Z | hireja[.]com | malicious domain |
| 2022-03-18T17:44:55.584Z | Domain-Name | 2022-03-18T17:44:55.642Z | wuluxo[.]com | malicious domain |
| 2022-03-18T17:44:55.358Z | Domain-Name | 2022-03-18T17:44:55.410Z | hoguyum[.]com | malicious domain |
| 2022-03-18T17:44:55.164Z | Domain-Name | 2022-03-18T17:44:55.196Z | newiro[.]com | malicious domain |
| 2022-03-18T17:44:54.892Z | Domain-Name | 2022-03-18T17:44:54.987Z | comecal[.]com | malicious domain |
| 2022-01-16T21:46:40.452Z | Domain-Name | 2022-03-18T17:44:57.983Z | sazoya[.]com | malicious domain |
| 2022-01-16T17:34:16.826Z | Domain-Name | 2022-03-18T17:45:09.420Z | hidusi[.]com | malicious domain |
| 2022-01-16T17:34:16.503Z | Domain-Name | 2022-03-18T17:45:09.094Z | joxinu[.]com | malicious domain |
| 2022-01-16T07:42:01.545Z | Domain-Name | 2022-03-18T17:45:05.681Z | dirupun[.]com | malicious domain |
| 2022-01-15T23:09:27.174Z | Domain-Name | 2022-03-18T17:44:56.096Z | wideri[.]com | malicious domain |
References
- https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/
- https://www.cisa.gov/uscert/ncas/alerts/aa21-265a