Conti Ransomware Group Cobalt Strike C2 Analysis & Persistence (Anydesk, Atera, Splash)

Michael Koczwara
5 min readAug 8, 2021

Conti is a Ransomware-as-a-Service that was first observed in December 2019 and has been distributed via TrickBot. It has been used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks and threaten to publish this data unless the ransom is paid.

https://attack.mitre.org/software/S0575/

Conti Ransomware Group Cobalt Strike C2 Infrastructure

IP:162.244.80[.]235 & Domain: softnewspaper[.]com

IP:85.93.88[.]165 & Domain: macrodown[.]com

IP:185.141.63[.]120 & Domain: shanroban[.]com

IP:82.118.21[.]1 & Domain: bmwfor[.]com

Conti Ransomware Group Cobalt Strike C2 Infrastructure

162.244.80[.]235

Domain categorized as business commercial.

softnewspaper.com,/jquery-3.3.1.min.js

Ports opened: 22, 80, 443

HTTP 404 Not Found on 80 and 443 and 0 as content length

Basic Beacon Configuration Analysis

Malleable C2 jQuery profile

SpawnTo dllhost.exe

Sleeping & Jitter 5000 + 10

HTTP/1.1  404 Not Found
Server: Apache
Content-Length: 0
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/plain
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2 Server: softnewspaper.com,/jquery-3.3.1.min.js
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2…
Michael Koczwara