eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Burning a Conti Affiliate’s Cobalt Strike Infrastructure
Cobalt Strike at Scale
Why has Cobalt Strike become so popular for ransomware campaigns?
Ransomware Operations Utilizing the Cobalt Strike Infrastructure
Excerpt of the Cobalt Strike C2 Domain Names and IP Addresses Utilized by a Conti Affiliate
The Cobalt Strike ShadowBeacon Incident
Glossary of terms
A Cobalt Strike Cybercrime Syndicate and the Ransomware Hackers’ Favorite Weapon
On March 9, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service issued an updated alert about the Conti ransomware group, encouraging organizations to review their advisory and apply the recommended mitigations. They stated: “Conti cyberthreat actors remain active and Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000. Notable attack vectors include Trickbot and Cobalt Strike.”
eSentire’s Threat Response Unit security research team (TRU) has been tracking the movements of the Conti gang for over two years. TRU issued a new report on the Conti Gang on March 7, 2022, two days prior to the CISA alert, where it warned its customers and critical infrastructure organizations that the Conti gang was continuing to launch attacks against oil terminals, pharmaceutical companies, food manufacturers, IT services providers, etc. Conti declared its allegiance to Russia immediately following Russia’s invasion into Ukraine.
Figure 1: Conti’s Name and Shame Site indicating allegiance to Russia.
TRU is publishing a new set of Indicators of Compromise (IOCs), which are currently being used by a Conti affiliate, and eSentire is encouraging security defenders to also use these to detect any possible Conti activity in their networks. These IOCs all link back to the Cobalt Strike infrastructure.
Every week for the past three years, the public has heard countless news reports of businesses and public entities being compromised by ransomware. However, in these incidents, it is usually the ransomware groups behind the attacks that grab the headlines. TRU contends that it is not just the ransomware gangs that are causing the scourge, it is also those cybercriminals who are supplying the malware, the infrastructure and the tools. For some time, what appears to be their favorite weapon is Cobalt Strike. Cobalt Strike has repeatedly enabled ransomware threat actors to disrupt critical healthcare services, municipalities, educational institutions, energy companies, and international meat suppliers.
For the past year and half, Cobalt Strike (a threat emulation software used for adversary simulations and Red Teams) has been observed being used by the top ransomware gangs and financial cybercrime groups. Cobalt Strike is an organized, methodical and multi-functional software that is being used, unfortunately, in conjunction with ransomware to disrupt critical systems. It is readily delivered by numerous initial access vectors and provides a variety of tools that help threat actors navigate around defenses.
Burning a Conti Affiliate’s Cobalt Strike Infrastructure
TRU has been tracking the operations of an active Conti ransomware affiliate since August 2021. During TRU’s research, it discovered that cybersecurity company BreakPoint Labs (BPL) had also been studying the same Conti affiliate. Therefore, eSentire and BreakPoint Labs began sharing their findings with one another and uncovered some important details relating to this affiliate, its infrastructure management methods, and its use of Cobalt Strike. It is also important to note that the main Conti operators have recently brought the Trickbot
authors, Wizard Spider, into their operation. Members of the Trickbot gang are long time partners of Conti ,and they have recently developed BazarLoader which downloads additional malware onto a victim’s computer.
Interestingly, TRU observed this affiliate’s Cobalt Strike infrastructure being leveraged in two subsequent ransomware attempts on Valentine’s Day of 2022, just as the tensions between Russia and Ukraine were escalating.
The speed and efficacy of both the intrusion actions and the infrastructure management indicate automated, at-scale deployment of customized Cobalt Strike configurations and its associated initial access vectors. Customization choices include legitimate certificates, non-standard CS ports, and malleable Command and Control (C2). In this report, we will examine associated ransomware operations, including operations that rely on:
SonicWall exploits
Shathak (TA551) and TR (TA577) malware distribution operations
BazarLoader and IcedID malware
The Cobalt Strike intrusion framework
FiveHands/HelloKitty/DeathKitty ransomware and Conti ransomware
TRU observed sophisticated intrusions conducted from the infrastructure, which are detailed below, followed by an exploration of the features of the infrastructure. Finally, a list of indicators comprising the vast Cobalt Strike deployment are provided.
Cobalt Strike at Scale
Following a series of leaks of the Cobalt Strike Intrusion Suite starting in 2020, the tool quickly rose to prominence in ransomware intrusions. Throughout 2021, eSentire’s TRU observed that – with few exceptions – hands-on- intrusions invariably relied on Cobalt Strike (Figure 2). The trend continues into 2022 alongside yet another leak of Cobalt Strike’s latest version. With each successive leak of the tool, threat actors gain additional features that help them to evade security and manage intrusions at scale.
Figure 2: Cobalt Strike observed by TRU in incidents (blue trace) and timing of Cobalt Strike source code leaks to the public (vertical black lines)
Why has Cobalt Strike become so popular for ransomware campaigns?
Ransomware intrusions are full-scale organizational intrusions that require actions such as discovery, lateral tool transfer and privilege escalation (Figure 3). Not only can Cobalt Strike do all of that, it can also change up its disguises using malleable C2 and an artifact kit to evade network and endpoint security. Threat actors need only deliver Cobalt Strike’s Beacon – a highly configurable backdoor that allows attackers to quietly and remotely control endpoints and inject other attacker tools – as a payload of their chosen initial access vector, and Beacon will point back to an attacker – controlled Team Server, where attackers can log on and intrusions can be orchestrated. Due to Cobalt Strike’s relative simplicity, it enables lower-tiered threat actors to act in supporting roles to ransomware operations, allowing for ransomware gangs to scale out their operations and increase efficiencies.
In short, the tool puts most of the features you’d find in other malware in one place. MITRE describes the tool as follows: “Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.” Cobalt Strike has been in use and continuously updated with new functionality for at least the past ten years. It is an “adversarial simulation software,” the developers (have continuously added evasive
features, observed in the wild, to its pen testing capabilities). Cobalt Strike also has a public community that openly shares aggressor scripts, which allow various plugins and integrations to be written for Cobalt Strike, and Beacon profiles, which define various communication protocols for C2. Thus, for many backdoors and RATs available on the underground market, Cobalt Strike is capable of the same functionality, plus more.
Figure 3: In the simplified kill chain model, Cobalt Strike can directly perform most intrusion actions allowing the operation to efficiently achieve their objectives
Ransomware Operations Utilizing the Cobalt Strike Infrastructure
TRU observed at least two cybercrime operations utilizing the same Cobalt Strike infrastructure, during 2021 and into 2022, and both operations are leveraging SonicWall exploits to deploy a Go variant of the FiveHands/HelloKitty/DeathKitty ransomware family and they are also employing initial access brokers, associated with the Conti Ransomware operation. Earlier in the year, SonicWall exploits being used in FiveHands ransomware campaigns (Figure 4), were associated with FiveHands affiliate UNC2447. A 2021 report by Mandiant notes the group had previously deployed RagnarLocker. Symantec has since associated UNC2447 with recent campaigns deploying Yanluowang Ransomware.
Figure 4: A campaign utilizing SonicWall exploits leveraged the tracked Cobalt Strike infrastructure to deliver a Golang variant of the FiveHands Ransomware
More recently, the same Cobalt Strike infrastructure was observed being leveraged in Conti ransomware deployments via Shathak (aka TA551) for initial access (Figure 5). Shathak is a threat group known for launching phishing campaigns that typically utilize malicious documents, and these often lead to backdoors, such as IcedID. TRU has seen some overlap in these campaigns with the TR botnet (aka TA577), which delivers payloads via malicious documents and which tends to use the same toolset as the Shathak malicious phishing campaigns.
Figure 5: An operation by the Shathak Group (akaTA551) leveraged BazarLoader through malicious emails. BazarLoader allowed the operation to pivot to the tracked Cobalt Strike infrastructure for Conti deployment.
Syndicate Infrastructure
Management of the Cobalt Strike infrastructure appears to be highly automated, potentially relying on automated name server generation via reseller API. Legitimate and trusted certificates are deployed to the infrastructure within minutes of domain name creation. Domain names used for Cobalt Strike Command and Control (C2) reflect a common naming scheme, typically two to three words or acronyms that reflect common information technology and known brands. The infrastructure rotates through a consistent range of open ports and registrar choices (Figure 6). TRU’s analysis of the Conti chat leaks provides some insight on infrastructure management within the Conti team, but it’s not clear how entwined the domains tracked here are with this core Conti group. However, the primary candidates from the leaked chats would be Carter’s infrastructure through which Bentley’s builds integrate the different tools and malware involved (such as BazarLoader, Cobalt Strike and the ransomware itself).
An excerpt of the domain names, IP addresses and email addresses being used by this Conti affiliate are enclosed below. It appears that this Cobalt Strike infrastructure management group has also relied on a variety of ProtonMail email addresses to register some of their domains:
Figure 6: Ports and Registrars observed at time of domain creation
Sophisticated Intrusions
Combined, TRU and BPL observed the Cobalt Strike infrastructure being leveraged to attack seven different U.S. companies between 2021 and 2022. The victims include companies in the financial, environmental, legal and charitable sectors.
In July 2021, the threat actors behind the Cobalt Strike operation compromised four different financial organizations via one technology provider, which each of the victims were using to manage their IT environments. Since the technology provider deployed SonicWall as a VPN solution for its customers, the financial organizations were rendered vulnerable to the previously mentioned exploits. In these cases, the threat actors were able to delete cloud-stored backups prior to ransomware deployment. Luckily, the financial companies had other, more recent backups, to restore from – a good lesson to follow. The ransomware was later determined to be the late Go Version of Feral Spider and shared similarities to previous FiveHands and HelloKitty variants.
More recently, on Valentine’s Day 2022, amidst escalating tensions between Russia and Ukraine, the TRU intercepted an attack leveraging the Cobalt Strike infrastructure in which the threat actors were trying to breach a children’s charity and, hours later, they attempted to breach a legal firm. However, one attack stands out as a demonstration of the power and capability of the Cobalt Strike Intrusion Suite, should it land in the wrong hands: the ShadowBeacon Incident.
The Cobalt Strike ShadowBeacon Incident
The TRU observed the first Cobalt Strike Beacon early in the morning during the summer of 2021. The Beacon instance presented an immediate mystery – it pointed to an internal device. The infected host was isolated and an investigation into the source of the signal was opened; another Beacon appeared. Again, a host was isolated. The Beacons were being deployed from the domain controllers via PsExec, a legitimate administrator tool used for remotely executing binaries. This time; however, the internal IP was different. Sensing an active hands-on intrusion, TRU began manually deleting the Beacon instances just as eSentire’s incident handlers were finding an answer to the shifting Command and Control channel. The intruders were using Forty North’s C2Concealer. The Beacons were SMB Beacons, which utilize the organization’s internal SMB traffic for its C2. That meant that the cloaked internal device likely had an HTTP Beacon–through which it was funneling the traffic from SMB Beacons to the exterior Cobalt Strike C2 Server. The more common Beacon utilizes standard internet protocols.
To gain further intelligence around the mysterious internal device required a review of the Windows logs. Given that the customer wasn’t ingesting their log signals into eSentire’s Atlas XDR platform, a manual request for logs was initiated, introducing a delay to the investigation. With domain control and a cloaked machine, the attacker continued to deploy SMB beacons, struggling to maintain a foothold as incident handlers continued to shut down Beacon instances. But after receiving and manually reviewing the Windows logs, TRU discovered the intersection of the SMB traffic and patient zero.
Crafty Threat Actors Bring Their Own Virtual Machine
The Windows logs revealed that the threat actor had been able to register their own virtual machine on the victim organization’s network, using it as a pivot to their actual, exterior C2. With the source of the infection no longer hiding in the VPN pool, the attacker was kicked out and the recovery process started. No ransomware was observed.
Cobalt Strike Infrastructure-Campaign Links
Conti Playbook and Intrusion Tools Used in the ShadowBeacon Incident
The recent leak of a Conti message board provides a thorough set of tools and practices used by Conti. The following was observed in both the ShadowBeacon Incident and Conti’s expansive playbooks:
August 2021 – BreakPoint Labs reports numerous domains associated with the previously mentioned breaches. The hashes reported by CrowdStrike, and BreakPoint Labs share vhash similarity in VirusTotal
August 2021 – eSentire observes the Cobalt Strike ShadowBeacon Incident.
Shathak, BazarLoader, IcedID and Conti Ransomware
August 2021 – amibios-updater[.]com is reported by Brad Duncan of Palo Alto Networks’ Unit42 in association with TA551 and BazarLoader
October 2021 – IBM X-Force Reports Shathak brokering initial access on behalf of Conti ransomware affiliates
November 2021 – sonyblueprint[.]com is reported by Unit42 in association with Shathak, BazarLoader and VNC, a remote desktop sharing protocol that precedes RDP.
January 2022 – customsecurityusa[.]com and juniperengineer[.]com
reported by Unit42 in association with Shathak and IcedID
TR Botnet and IcedID
June, 2021 – Proofpoint notes use of IcedID by both TA577 and TA551(insert more common name of these groups)
December, 2021 – bqtconsulting[.]com is reported by SANS in association with IcedID and the backdoor, DarkVNC
January, 2022 – driverpackcdn[.]com is reported by Unit42 in association with IcedID
February 2022 – TRU observes two cyber incidents leveraging Cobalt Strike via the infrastructure (defined by the traits outlined in the Syndicate Infrastructure paragraph) on recently created domains. IcedID was the initial access vector.
Glossary of terms
IcedID – a botnet loader known to arise from malicious documents and often leading to Cobalt Strike or other backdoors that position threat actors for ransomware deployment.
TR Botnet (akaTA577)– The TR botnet delivers payloads via malicious documents. TR has been associated with SquirrelWaffle and Qakbot campaigns but has recently been observed delivering IcedID.
Shathak (aka TA551)– A cybercrime group that is known for launching phishing campaigns that typically distribute malicious documents which, in turn, often lead to backdoors such as IcedID.
Emotet – A loader malware delivered via malicious document through email. Known to deliver Trickbot and Cobalt Strike.
Trickbot – A botnet loader delivered via malicious documents.
Conti (aka Grim Spider) – A large and sophisticated group of ransomware developers and operators, known for compromising and disrupting the critical operations of healthcare organizations, 911 emergency services, municipalities, oil transportation and storage providers, electric companies, schools, IT service providers, food and pharmaceutical providers. Conti popularized the modern ransomware model with its original project, Ryuk, which was delivered via Emotet dropping Trickbot.
Cobalt Strike – An intrusion suite, billed as “adversary simulation” that has sophisticated evasion features, such as a malleable C2 and an injection kit, to deploy more tools throughout a victim’s IT environments.
Discovery – generally the first tactic threat actors take when they get hands-on keyboard in an environment. Discovery helps threat actors determine the kind of endpoint they’ve landed on and what kind of accounts they can pivot too next.
Lateral Tool Transfer – a technique that allows an active intruder to import more intrusion tools from their own environment to the victims, including password crackers, exploits and exfiltration tools.
Privilege Escalation – allows attackers to raise privileges on a compromised account or obtain credentials for more privileged accounts.
Malleable C2 – allows threat actors to rotate through different communication procedures, making it harder to track and detect known procedures.
Artifact Kit – a Cobalt Strike feature that allows an active intruder the ability to inject tools into legitimate windows processes, reducing their chance of detection.
Initial Access – how an intruder gains entry into a victim’s network. Examples include phishing emails, remote exploits, and supply-chain attacks.
Aggressor Scripts – It is a scripting framework, built within Cobalt Strike 3.0 and later versions, which will automate and customize the intrusion workflow being conducted by threat actors. Examples of Aggressor Scripts include notifying the threat actors of a successful compromise via Slack or running Mimikatz within the victim’s IT environment. Mimikatz is a credential password stealer tool.
Beacon—it is the Cobalt Strike’s backdoor.
Beacon Profiles –Beacon profiles define the configuration of the Beacon Backdoor– including the windows processes (aka injection targets) that artifact kit will use to deploy tools, how often Beacon will check in with Team Server, and the C2’s URL and port.
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more about how we protect organizations globally? Connect with an eSentire Security Specialist.
eSentire Threat Response Unit (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
