Conti Ransomware Group Cobalt Strike C2 Analysis & Persistence (Anydesk, Atera, Splash)
--
Conti is a Ransomware-as-a-Service that was first observed in December 2019 and has been distributed via TrickBot. It has been used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks and threaten to publish this data unless the ransom is paid.
https://attack.mitre.org/software/S0575/
Conti Ransomware Group Cobalt Strike C2 Infrastructure
IP:162.244.80[.]235 & Domain: softnewspaper[.]com
IP:85.93.88[.]165 & Domain: macrodown[.]com
IP:185.141.63[.]120 & Domain: shanroban[.]com
IP:82.118.21[.]1 & Domain: bmwfor[.]com
Conti Ransomware Group Cobalt Strike C2 Infrastructure
162.244.80[.]235
Domain categorized as business commercial.
softnewspaper.com,/jquery-3.3.1.min.js
Ports opened: 22, 80, 443
HTTP 404 Not Found on 80 and 443 and 0 as content length
Basic Beacon Configuration Analysis
Malleable C2 jQuery profile
SpawnTo dllhost.exe
Sleeping & Jitter 5000 + 10
HTTP/1.1 404 Not Found
Server: Apache
Content-Length: 0
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/plain
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2 Server: softnewspaper.com,/jquery-3.3.1.min.js
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2…