Security

July 30, 2021

5 Minute Read

Conti Threat Research Update and Detections

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

The Splunk Threat Research team has researched two of the current payloads involved in these heinous campaigns against healthcare and first responder organizations such as Conti & REvil. In the first blog, we explored the REvil ransomware group and in this blog, we will explore Conti.

The Conti ransomware payload is said to have surfaced in the year 2020 and is associated with some of the following attack vectors:

RDP brute force
Use of weaponized word documents
Use of Cobalt Strike payload
Emotet payload
Delivery via DLLs
Credential access via Mimikatz
Sysinternals tools
Trickbot payload
Double extortion plot. Besides ransomware deployment, the threat of publishing sensitive information if the ransom is not paid
Communication with victims via VOIP or Protonmail
Remote Access Tools using VPS Infrastructure (Ports 80,443,8080,8443)
Use of internet storage service MegaNZ
AES-256 Encryption applied to system objects (files, shares)

In this blog, I’ll show you how I used Splunk Attack Range, an open-source tool used to simulate cyber attacks. The following screen captures show how Conti ransomware was executed via Splunk Attack Range.

How Conti Ransomware is Executed in a Simulation

First, we see the ransomware note, presenting a Darkweb address that victims need to visit in order to receive further instructions.

In the following graphic, the victim is asked to upload readme.txt created by the Conti ransomware payload.

Once we upload the readme.txt to the Conti recovery service site hosted at the Darkweb we are presented with a chat window where we can see actual victims being threatened and trying to negotiate ransom payments in a chat platform titled “CONTI Recovery service”. Criminals have also observed posting files they allegedly obtained from victim systems

Further research on this group’s pages at the dark web reveals a “news” site where they publish information obtained from victims.

Conti Ransomware Features

Ransomware Conti is also known for obfuscating and encrypting its code. The screenshot below shows the different encrypted command line parameters that will be decrypted to check which file encryption feature it needs to execute in a compromised host. If no parameter is found the default is to encrypt all local drives and network share.

CommandLine Arguments	Description
-p [folder path]	Encrypt file in the specified folder path
-m local	Encrypt all local drives
-m net	Encrypt all network share
-m all	Encrypt all local and network drives/share
-log [log file name]	Generate a log file of its encryption
-nomutex	No Conti mutex created in the machine
-size	Encrypt files by chunk size

Log File: Below is the screenshot of a Conti log file generated as you use the -log feature.

File Encryption and Ransomware Notes

In the Conti sample we have analyzed, we found that it uses the “.LSNWX” file extension for all files it will encrypt in either/both local drive and network share. Below are screenshots of its code creating .LSNWX files, as well as some files getting encrypted.

Below is the screenshot of a log file generated with -m full parameter.

Conti code as it generates the ransomware notes on the affected directory, root drive or network share.

File Extensions Avoided

As soon as Conti ransomware finds some files during the encryption process, it will check its file extensions or file name if it is one of the file extensions it wants to avoid encrypting. Below is the list of file extensions and file names we found skips in this malware sample.

.exe, .dll, .sys, .msi, readme.txt, .lnk, .LSNWX, .bat, CONTI_LOG.TXT

Targeted File Extensions: We also found several file extensions decrypted by this ransomware in memory for small and big files that it wants to encrypt. Below is the screenshot of memory as well as the complete list of the file extensions.

".4dd", ".4dl", ".accdb", ".accdc", ".accde", ".accdr", ".accdt", ".accft", ".adb", ".ade", ".adf", ".adp", ".arc", ".ora", ".alf", ".ask", ".btr", ".bdf", ".cat", ".cdb", ".ckp", ".cma", ".cpd", ".dacpac", ".dad", ".daschema", ".db", ".db-shm", ".db-wal", ".db3", ".dbc", ".dbf", ".dbs", ".dbt", ".dbv", ".dbx", ".dcb", ".dct", ".dcx", ".ddl", ".dlis", ".dp1", ".dqy", ".dsk", ".dsn", ".dtsx", ".dxl", ".eco", ".ecx", ".edb", ".epim", ".exb", ".fcd", ".fdb", ".fic", ".fmp", ".fmp12", ".fmpsl", ".fol", ".fp3", ".fp4", ".fp5", ".fp7", ".fpt", ".frm", ".gdb", ".grdb", ".gwi", ".hdb", ".his", ".ib", ".idb", ".ihx", ".itdb", ".itw", ".jet", ".jtx", ".kdb", ".kexi", ".kexic", ".kexis", ".lgc", ".lwx", ".maf", ".maq", ".mar", ".mas", ".mav", ".mdb", ".mdf", ".mpd", ".mrg", ".mud", ".mwb", ".myd", ".ndf", ".nnt", ".nrmlib", ".ns2", ".ns3", ".ns4", ".nsf", ".nv", ".nv2", ".nwdb", ".nyf", ".odb", ".oqy", ".orx", ".owc", ".p96", ".p97", ".pan", ".pdb", ".pdm", ".pnz", ".qry", ".qvd", ".rbf", ".rctd", ".rod", ".rodx", ".rpd", ".rsd", ".sas7bdat", ".sbf", ".scx", ".sdb", ".sdc", ".sdf", ".sis", ".spq", ".sql", ".sqlite", ".sqlite3", ".sqlitedb", ".te", ".temx", ".tmd", ".tps", ".trc", ".trm", ".udb", ".udl", ".usr", ".v12", ".vis", ".vpd", ".vvv", ".wdb", ".wmdb", ".wrk", ".xdb", ".xld", ".xmlff", ".abcddb", ".abs", ".abx", ".accdw", ".adn", ".db2", ".fm5", ".hjt", ".icg", ".icr", ".kdb", ".lut", ".maw", ".mdn", ".vdi", ".vhd", ".vmdk", ".pvm", ".vmem", ".vmsn", ".vmsd", ".nvram", ".vmx", ".raw", ".qcow2", ".subvol", ".bin", ".vsv", ".avhd", ".vmrs", ".vhdx", ".avdx", ".vmcx"

Conti Detections

Conti Common Exec parameter (New)

| tstats `security_content_summariesonly` count min(_time) 
as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes

  where Processes.process = "*-m local*" OR Processes.process = "*-m net*" 
OR Processes.process = "*-m all*" OR Processes.process = "*-nomutex*"

  by Processes.process_name Processes.process Processes.parent_process_name 
Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid

Detection	Techniques ID	Tactic(s)	Description
Ransomware Notes bulk creation (Existing)	T1486	Impact	Detects suspicious bulk creation of ransomware notes (.txt, hta, html) in compromised machine
High Process Termination Frequency (Existing)	T1486	Impact	Detects a suspicious big number of terminated processes within a time frame.
Suspicious Process File Path (Existing)	T1543	Persistence, Privilege Escalation	Detects process with suspicious file path
Disable Windows Behavior Monitoring (Existing)	T1562.001	Impair Defenses: Disable or Modify Tools	Detects the disablement of Windows Defender monitoring
Windows DisableAntiSpyware Registry (Existing)	T1562.001	Impair Defenses: Disable or Modify Tools	Detects the disablement of Defender via the registry
Attempt To Stop Security Service (Existing)	T1562.001	Impair Defenses: Disable or Modify Tools	Detects an attempt to stop a security service.
Account Discovery With Net App (Existing)	T1087.002	Account Discovery: Domain Account	Detects account discovery using net.exe
NLTest Domain Trust Discovery (Existing)	T1482	Domain Trust Discovery	Detects the usage of nltest.exe performing domain discovery.
DSQuery Domain Discovery (Existing)	T1482	Domain Trust Discovery	Detects usage of DSQuery performing domain discovery
Create Service In Suspicious File Path (Existing)	T1569.001	System Services: Service Execution	Detects services with suspicious file path
Suspicious Rundll32 Activity (Existing)	T1218.011	Signed Binary Proxy Execution: Rundll32	Identifies suspicious Rundll32.exe usage
Create local admin accounts using net exe (Existing)	T1136.001	Create Account: Local Account	Identifies the creation of a local account with net.exe
Detect Credential Dumping through LSASS access (Existing)	T1003.001	OS Credential Dumping: LSASS Memory	Identification of suspicious LSASS access
Detect PsExec With accepteula Flag (Existing)	T1021.002	Remote Services: SMB/Windows Admin Shares	Detect PsExec with AcceptEula flag usage.
Processes launching netsh (Existing)	T1562.004	Impair Defenses: Disable or Modify System Firewall	Detect processes spawning netsh.exe

Conti Malware

SHA256: 59A9F0DE96EFF57768E995B296AE75778A232F30D95A7B7AB5048C621B50C66D

You can also simulate the attack with Splunk Attack Range and use our pre-built tested detections to monitor the environment.

Turning Hunts Into Detections with PEAK

In this post, we’re going to look at something the PEAK framework refers to as the Hierarchy of Detection Outputs.

Security 4 Min Read

Asset & Identity for Splunk Enterprise Security - Part 2: Adding Additional Attributes to Assets

This is part two in a three part series on the Asset & Identity framework in Splunk Enterprise Security, focusing on adding additional field or attributes to further contextualize systems being monitored.

Security 7 Min Read

Risk-Based Alerting: The New Frontier for SIEM

Risk-Based Alerting (RBA) is an intelligent alerting method with SIEM for security operations to operationalize cyber security frameworks like MITRE ATT&CK, Lockheed Martin's Killchain, or CIS20.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk