My talk at DEFCON 201 NJ

Talk on Dynamic Analysis of Conti Ransom

Recently i had given a talk at DEFCON 201 that is “ DEFCON NEW JERSEY “ group on Conti Ransom in which i had discussed about Internals of Conti Ransom.

You can watch it on here :

Introduction:-
Recently Conti Ransom is been seen targeting hospitals and public health care centers across U.S. . CISA has also alerted for this emerging threat of Ryuk Successor “Conti” Ransomware and now as concluded from the multiple recent research and reports from threat intelligence community. We have
also been tracking Conti Ransom activities from last few months from mid of last year.

Background:-

Like all other groups the targeting of Conti Ransom is much like the similar tactics and techniques of “WannaCry” Ransom as the on the execution of “Conti” it encrypts the files of victim machine and ask the victim to pay for their encrypted files in cryptocurrency much likely bitcoin after installing the tor browser and use the provided .onion link and as victim doesn’t pay for it their data is being leaked on the leak sites made by these groups.

Since the samples of “Conti Ransom” were available from August and from there development of “Conti” Ransom has gone further as from the version 1 to version 2 and version 3 phase recently.

Whereas the infections of “Conti Ransom” had increased in past few months.Mainly the TrickBot crime group is being dropping Conti Ransom in the Powershell Empire campaign originated from the TrickBot stealthy targeting.

Method of analyzing the samples and detection:-

In this analyzing samples we have deployed the “ANY.RUN” malware sandbox platform widely popular among Malware Researchers and Threat intelligence analysts. ANY.RUN provides the capability of analyzing the samples in the safe environment and it generates the IOCs, Att&ck Mitre TTPs, and also the Processes graph along with the network pcaps can also being downloading after the static and dynamic analyzing is completed.

Conti Ransomware Analysis

Conti Ransom (Version 1) Analysis:-

Signature Information:-

Conti Ransom (v1) Signature Details

Mitre Att&ck Matrix:-

In here the mitre att&ck matrix is shown above for Conti Ransom (v1) is been given which suggests that with the execution of Conti occur with use of “Native API” and for the persistence, hooking of the backward support of applications for application build in older versions technique known as
“Application Shimming” is being used where for the further privilege escalation is being escalated the “Process Injection” technique is used in which the one process is being injected even in the suspended mode.

Detailed view of TTPs using Mitre Att&ck Matrix for Conti Ransom (v1)

Not only that it also evading the defense mechanism of victim’s system with the techniques like file deletion, process injection and software packing so that it can’t be detected easily even after the infection. Then in further investigation we had discovered that it gathers the information about the
victim system deeply and then after all of the collected data is being encrypted using CryptoFunction. Lastly the Command and Control server (C2) is being contacted with the encrypted channels as crypto based functions are used for encrypting all malicious activity of threat actor.

Detection Technique 1: Process Hollowing inject on cmd.exe for stopping services and inhibition of system recovery as well as extracting running services information.

It has been seen that from the dynamic analysis, the .exe that is being dropped in the PowerEmpire Campaign is making process hollowing by producing bunch of cmd.exe files and further these cmd.exe files are being executing with the net.exe which further executes the net1.exe. (i). Where in the figure
(ii) we can see that cmd.exe executes number of times where it uses technique of deleting services running in system which can be useful to eliminate the threat of “Conti Ransom”. Also the execution of ransom payload is loaded in the memory by the process hollowing from main .exe file to the injected
into cmd.exe to vssadmin.exe that deletes the shadow copies and files that are helpful for recovery of corrupted system.

Detection Technique 2: Intensive use of “vssadmin” and “net” commands in removing “shadows” and stopping of services.

In this technique adapted by Conti Ransom is that it uses “vssadmin” command intensively & use is done where the deletion of many of shadows has been done and also in the stopping of several services concerning “MYSQL”, “MSExchange”, “Backups”, “IISadmin” is done through “net” command.

Behavior Graph:-

IOCs:-

Main object- “1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe”
sha256 1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24
sha1 7b7f0c029a3dcb34a7a448f05b43c5657dd0c471
md5 42e106fd843b0e3585057c30424f695a
Connections:-
ip
192[.]168[.]100[.]137
Main object- “c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.exe”
sha256 c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4
sha1 68dcbf15e926bd239026ed065471d914c85f9c75
md5 a200d6c3988d8bf49c305f3e2adee785

Registry Activities:-

YARA Rule :-

Conti Ransom (version 2) Analysis:-

Signature Information:-

Conti Ransom (v2) Signature Details

Mitre Att&ck Matrix:-

Execution of malware is being done using similar technique as we have seen in the earlier version (v1) of Conti Ransom , here in the version 2 (v2) of Conti Ransom the “Native API” is being used for the faster completion of infection process and also the previlage escalation technique of process injection is being applied by (v2) and as the infection continuous on victim machine the several defense evading techniques are being used like masquerading by creating the files in user, program directory and
program files, process injection, obfuscating and de obfuscating information and files.

Detailed view of TTPs using Mitre Att&ck Matrix for Conti Ransom (v2)

It also be getting the credential access of user by “credential API Hooking” technique and also system information by fetching of some information using Windows API functions and some by placing potential keylogger in victim system. Then the same technique of v1 is being deployed as of by encrypting all the collected data but in this version mainly the interaction with the command and control server is being made in using encryption and connecting to tor only accessible .onion connection using proxies.

Detection Technique 1:- Fetching of malicious plugins using installed browser.

As from sandbox we had used for analysis, it suggests us that as the execution of Conti Ransom(v2) begins it firstly does the installation of malicious browser plugin and dropped all the required malicious files on victim device.

Detection Technique 2 :- Making Persistence using the Office Word Startup folder infection.

Soon after the infection proceeds, as described in above Mitre Att&ck vectors. For the persistence achievement by Conti (v2) , it does the writing the logic bomb in the macros of the office docs so the victim system won’t be able to recover without paying off to threat actor who had Randomized the victim device.

Detection Technique 3:- Renaming of Files and encrypting files.
Lastly as the infection is being done. The files are being renamed and encrypted and in the text file is being dropped in the system.

Behavior Graph:-

IOCs:-

Main
object-
“d236d64b7bf9510ea1746d10a4c164a2ef2c724cc62b2bca91d72bdf24821e40.exe”
sha256 d236d64b7bf9510ea1746d10a4c164a2ef2c724cc62b2bca91d72bdf24821e40
sha1 dc653d16d1ee42f3af02816965dacf0006cdeb95
md5 930ce8cc7096169a8b15e4ada3181330
Connections
ip
192[.]168[.]1[.]2Main
object-
“e64e350861b86d4e05668bc25e6c952880f6b39ca921496ccce1487dbf6acab6.exe”
sha256
e64e350861b86d4e05668bc25e6c952880f6b39ca921496ccce1487dbf6acab6
sha1 f4b83a63842384006b7b2fb061dd26d38356a7da
md5 8a8ced330677fc62a9a9a02f38652c1d
Connections
ip
192[.]168[.]1[.]2

Registry Activities:-

YARA Rule :-

Conti Ransom (version 3) Analysis:-

Conti Ransom (v3) Signature Details

Mitre Att&ck Matrix:-

According to detection from the mitre att&ck vectors, Conti Ransom (v3) is being using the same techniques like something similar to Conti Ransom (v2) as a defense evasion. C2(command and control) communication take place in the encrypted tunnel using proxy running on port 443.

Detection Technique 1:-Execution through loading of dropped malicious .dll into the system.

Infection startup from the loading of malicious .dll into the system

Detection Technique 2:- Execution of arbitrary binary by calling rundll32.exe.

For loading the malicious payload/executable execs run32dll.exe is being called and loads the main .dll executable in the memory as the infection proceeds.

Detection Technique 3:-For Countering Defense Mechanism loading malicious load library.

For loading the malicious payload/executable execs run32dll.exe is being deployed for the triage of targeted machine as the run32dll.exe is loads the malicious .dll.

Behavior Graph:-

IOCs :-

Main object- “f092b985b75a702c784f0936ce892595b91d025b26f3387a712b76dcc3a4bc81.dll”
sha256 f092b985b75a702c784f0936ce892595b91d025b26f3387a712b76dcc3a4bc81
sha1 deae30bdc505699a61f65d4e629e5b66adf57034
md5 23a6691939ae3e33b3c31ada6eeed7b8
Main object- “26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe”
sha256 26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce
sha1 85c434fbaa94fb4d73d77429a32e88b184ec2f88
md5 77078664b4bbfbe25be44004431c1a37
Connections
ip
192[.]168[.]1[.]2

Registry Activities :-

YARA Rule:-

Infection Remedies :-

..:- Keep your system updated with latest patches.
..:- Keep the network fire walled.
..:- Keep regular checkup of the accounts and emails access controls.
..:- Your network infrastructure must be able to detect the malicious document.
..:- Keep regular & multiple backups of the system for future use.
..:- Must consult with incident responders for any suspicious activity occur across network.

Additional Resources :-

From CISA:-

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

From 0xthreatintel:-

https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74

From Community:-

https://threatpost.com/conti-iot-chip-advantech-ransom-demand/161691/
https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-
sites/
https://securityintelligence.com/news/news-conti-ransomware-ryuks-successor/
https://www.zdnet.com/article/conti-ransomware-uses-32-simultaneous-cpu-threads-for-blazing-fast-
encryption/
https://www.bleepingcomputer.com/news/security/conti-ransomware-shows-signs-of-being-ryuks-
successor/

Thanks for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store