In February of 2021, we were alerted to a series of suspicious events connected to an attack by the Conti ransomware gang. These events were spotted by the Trend Micro Vision One platform.
Conti has been described as the successor to the popular Ryuk ransomware family. Increasingly, threat actors are now distributing the malware via the same methods used to distribute Ryuk in the past. For example, both Trickbot/Emotet and BazarLoader are now being used to distribute Conti.
This blog post discusses how Cobalt Strike beacons (detected as Backdoor.<architecture>.COBEACON.SMA) is now being used for this and how we used the Trend Micro Vision One platform to track this threat. We believe that researchers at Sophos also encountered this particular group of threat actors; the attack they encountered and this one show similarities in the techniques used.
Figure 1. Pre-investigation timeline
These attacks were spotted via the Workbench panel, which is accessible both to the SOCs of client organizations as well as MDR researchers. It can be used to help respond to ongoing incidents, as well as add context to any ongoing security investigations. The Workbench panel issued two alerts for suspicious activity. The attackers dropped the Conti Ransomware payload hours later, which Trend Micro’s Predictive Machine Learning immediately detected. Read more in the original article.
Missing: The Arrival Vector
What was not immediately clear was the arrival vector of the Cobalt Strike beacon. We delved deeper into this using the different features of Trend Micro Vision One.
Using Trend Micro Vision One’s Observed Attack Techniques (OAT) app, we noticed that several endpoints only started to send data to Trend Micro Vision One on February 11 and 12 of this year. Once we checked more telemetry, we were able to confirm that this was the case. Feedback provided by the Smart Protect Network indicates possible Cobalt Strike beacon detections in the same organization on February 4. This may be the first attempt to infiltrate the organization that did not see initial success.
Beyond this potential attack, we were unable to identify any specific method used for the initial attack. The threat actor may have initiated the attack on endpoints that were unprotected or otherwise not monitored.
Responding to Incident Response
As we noted earlier, the organization was responding to the attack by rolling out further protection to their endpoints. The threat actor was seemingly aware of this. In response, they decided to send out sensitive information as quickly as it can.
The OAT app showed several Trend Micro Vision One Filter hits related to “Rarely Accessed IP Address.” Expanding the details revealed where they store the stolen data. The open-source tool “Rclone” is normally used to sync files to a specified cloud storage provider. In this incident, the attackers used the tool to upload files to Mega cloud storage. Additional Cobalt/Cobeacon variants were seen a few days after the ransomware incident, indicating that the attackers still have access to unprotected endpoints.
Cobalt Strike also made further explorations in the system:
The detailed technical description of the spread of Cobalt Strike and the Conti ransomware can be found in the original article.
While we do not know how this threat first entered the victim organization, Conti is known for using phishing emails to deliver downloader malware that drops the ransomware payload. Awareness and training to handle potential social engineering risks will help reduce the risk.
Trend Micro’s comprehensive XDR solution applies the most effective expert analytics to the deep data sets collected from Trend Micro solutions across the enterprise — including email, endpoints, servers, cloud workloads, and networks — making faster connections to identify and stop attacks. Powerful artificial intelligence (AI) and expert security analytics correlate data from customer environments and Trend Micro’s global threat intelligence to deliver fewer, higher-fidelity alerts, leading to better, early detection. One console with one source of prioritized, optimized alerts supported with guided investigation simplifies the steps needed to fully understand the attack path and impact on the organization.