Talk on Dynamic Analysis of Conti Ransom
Recently i had given a talk at DEFCON 201 that is “ DEFCON NEW JERSEY “ group on Conti Ransom in which i had discussed about Internals of Conti Ransom.
You can watch it on here :
Recently Conti Ransom is been seen targeting hospitals and public health care centers across U.S. . CISA has also alerted for this emerging threat of Ryuk Successor “Conti” Ransomware and now as concluded from the multiple recent research and reports from threat intelligence community. We have
also been tracking Conti Ransom activities from last few months from mid of last year.
Like all other groups the targeting of Conti Ransom is much like the similar tactics and techniques of “WannaCry” Ransom as the on the execution of “Conti” it encrypts the files of victim machine and ask the victim to pay for their encrypted files in cryptocurrency much likely bitcoin after installing the tor browser and use the provided .onion link and as victim doesn’t pay for it their data is being leaked on the leak sites made by these groups.
Since the samples of “Conti Ransom” were available from August and from there development of “Conti” Ransom has gone further as from the version 1 to version 2 and version 3 phase recently.
Whereas the infections of “Conti Ransom” had increased in past few months.Mainly the TrickBot crime group is being dropping Conti Ransom in the Powershell Empire campaign originated from the TrickBot stealthy targeting.
Method of analyzing the samples and detection:-
In this analyzing samples we have deployed the “ANY.RUN” malware sandbox platform widely popular among Malware Researchers and Threat intelligence analysts. ANY.RUN provides the capability of analyzing the samples in the safe environment and it generates the IOCs, Att&ck Mitre TTPs, and also the Processes graph along with the network pcaps can also being downloading after the static and dynamic analyzing is completed.
Conti Ransomware Analysis
Conti Ransom (Version 1) Analysis:-
Mitre Att&ck Matrix:-
In here the mitre att&ck matrix is shown above for Conti Ransom (v1) is been given which suggests that with the execution of Conti occur with use of “Native API” and for the persistence, hooking of the backward support of applications for application build in older versions technique known as
“Application Shimming” is being used where for the further privilege escalation is being escalated the “Process Injection” technique is used in which the one process is being injected even in the suspended mode.
Not only that it also evading the defense mechanism of victim’s system with the techniques like file deletion, process injection and software packing so that it can’t be detected easily even after the infection. Then in further investigation we had discovered that it gathers the information about the
victim system deeply and then after all of the collected data is being encrypted using CryptoFunction. Lastly the Command and Control server (C2) is being contacted with the encrypted channels as crypto based functions are used for encrypting all malicious activity of threat actor.
Detection Technique 1: Process Hollowing inject on cmd.exe for stopping services and inhibition of system recovery as well as extracting running services information.
It has been seen that from the dynamic analysis, the .exe that is being dropped in the PowerEmpire Campaign is making process hollowing by producing bunch of cmd.exe files and further these cmd.exe files are being executing with the net.exe which further executes the net1.exe. (i). Where in the figure
(ii) we can see that cmd.exe executes number of times where it uses technique of deleting services running in system which can be useful to eliminate the threat of “Conti Ransom”. Also the execution of ransom payload is loaded in the memory by the process hollowing from main .exe file to the injected
into cmd.exe to vssadmin.exe that deletes the shadow copies and files that are helpful for recovery of corrupted system.
Detection Technique 2: Intensive use of “vssadmin” and “net” commands in removing “shadows” and stopping of services.
In this technique adapted by Conti Ransom is that it uses “vssadmin” command intensively & use is done where the deletion of many of shadows has been done and also in the stopping of several services concerning “MYSQL”, “MSExchange”, “Backups”, “IISadmin” is done through “net” command.
Main object- “1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe”
Main object- “c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.exe”
YARA Rule :-
Conti Ransom (version 2) Analysis:-
Mitre Att&ck Matrix:-
Execution of malware is being done using similar technique as we have seen in the earlier version (v1) of Conti Ransom , here in the version 2 (v2) of Conti Ransom the “Native API” is being used for the faster completion of infection process and also the previlage escalation technique of process injection is being applied by (v2) and as the infection continuous on victim machine the several defense evading techniques are being used like masquerading by creating the files in user, program directory and
program files, process injection, obfuscating and de obfuscating information and files.
It also be getting the credential access of user by “credential API Hooking” technique and also system information by fetching of some information using Windows API functions and some by placing potential keylogger in victim system. Then the same technique of v1 is being deployed as of by encrypting all the collected data but in this version mainly the interaction with the command and control server is being made in using encryption and connecting to tor only accessible .onion connection using proxies.
Detection Technique 1:- Fetching of malicious plugins using installed browser.
As from sandbox we had used for analysis, it suggests us that as the execution of Conti Ransom(v2) begins it firstly does the installation of malicious browser plugin and dropped all the required malicious files on victim device.
Detection Technique 2 :- Making Persistence using the Office Word Startup folder infection.
Soon after the infection proceeds, as described in above Mitre Att&ck vectors. For the persistence achievement by Conti (v2) , it does the writing the logic bomb in the macros of the office docs so the victim system won’t be able to recover without paying off to threat actor who had Randomized the victim device.
Detection Technique 3:- Renaming of Files and encrypting files.
Lastly as the infection is being done. The files are being renamed and encrypted and in the text file is being dropped in the system.
YARA Rule :-
Conti Ransom (version 3) Analysis:-
Mitre Att&ck Matrix:-
According to detection from the mitre att&ck vectors, Conti Ransom (v3) is being using the same techniques like something similar to Conti Ransom (v2) as a defense evasion. C2(command and control) communication take place in the encrypted tunnel using proxy running on port 443.
Detection Technique 1:-Execution through loading of dropped malicious .dll into the system.
Infection startup from the loading of malicious .dll into the system
Detection Technique 2:- Execution of arbitrary binary by calling rundll32.exe.
For loading the malicious payload/executable execs run32dll.exe is being called and loads the main .dll executable in the memory as the infection proceeds.
Detection Technique 3:-For Countering Defense Mechanism loading malicious load library.
For loading the malicious payload/executable execs run32dll.exe is being deployed for the triage of targeted machine as the run32dll.exe is loads the malicious .dll.
Main object- “f092b985b75a702c784f0936ce892595b91d025b26f3387a712b76dcc3a4bc81.dll”
Main object- “26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe”
Registry Activities :-
Infection Remedies :-
..:- Keep your system updated with latest patches.
..:- Keep the network fire walled.
..:- Keep regular checkup of the accounts and emails access controls.
..:- Your network infrastructure must be able to detect the malicious document.
..:- Keep regular & multiple backups of the system for future use.
..:- Must consult with incident responders for any suspicious activity occur across network.
Additional Resources :-