Insight into the Russian-Ukrainian cyber war Part 1: Data erasure software
Insight into the Russian-Ukrainian cyber war Part 2: Conti Ransomware Group (Part 1)
Conti Ransomware Group (Part 2)
On February 27, 2022, the Twitter account @ContiLeaks released a large number of chat records of the ransomware organization Conti. On March 1, ContiLeaks leaked a large amount of Conti's source code and training materials.
1. Management panel source code
Analysis of the leaked content revealed that most of the codes used by the Conti gang came from open source software, such as PHP frameworks yii2 and Kohana, which were used to build management panels.
The code is mostly written in PHP and managed by Composer, with the only exception being a repository of tools written in Go. The repository also contains some configuration files that list local database usernames and passwords, as well as some public IP addresses.
2. Pony Credential Stealing Malware
Conti Pony Leak 2016.7zThe files are mainly email account password databases, including email service providers such as gmail.com, mail.ru, and yahoo.com. Apparently this was stolen from various sources by Pony credential stealing malware. Pony, which dates back to at least 2018, is one of scammers' favorite credential theft software.
The zipped package also contains credentials from FTP/RDP, SSH services, and several other different websites.
3. TTPs
TTPs: Tactics, Techniques and Procedures
Conti Rocket Chat Leaks.7zIt contains chat records of Conti gang members about attack targets, attack methods, and the use of Cobalt Strike to carry out attacks.
tactics, techniques and procedures
Conti gang members mentioned the following attack techniques during conversations:
- Active Directory enumeration
- SQL database enumeration via sqlcmd
- How to access Shadow Protect SPX (StorageCraft) backup
- How to create NTDS dump with vssadmin
- How to open new RDP port 1350
The following tools are involved:
- Cobalt Strike
- Metasploit
- PowerView
- ShareFinder
- AnyDesk
- Mimikatz
4. Conti Locker v2 source code
The leaked file also contains Conti Locker v2 source code and a decryptor source code. However, some Twitter users said that this decryptor is no longer usable.
Decryptors work a bit like decompressing password-protected files, except the process is more complicated as they vary from ransomware family to ransomware family. Some decryptors are built into a standalone binary, some can be enabled remotely, and they usually have a built-in key.
5. Conti gang training materials
The leaked documents also include training materials, including Russian online course videos and specific operation methods for the following TTPs list:
- Cracking/Cracking
- Metasploit
- network penetration
- Cobalt Strike
- Penetration using PowerShell
- Windows Red Team Attack
- WMI attacks (and defenses)
- SQL Server
- Active Directory
- Reverse Engineering
Conti’s training course: CyberArk
6. TrickBot leaked
Another leaked document is a forum chat log used by the TrickBot Trojan/malware, covering 2019-2021.
Most of them discuss how to achieve lateral movement on the network, how to use certain tools, and some information about TTPs of TrickBot and Conti gangs. For example, in one post, a member shared his webshell and said, "This is the most lightweight and durable webshell I have ever used." In addition, it also contains evidence that the Conti group exploited vulnerabilities such as Zerologon in early July 2021. This is not surprising. After all, since September 2020, 4 PoCs targeting this vulnerability have appeared on GitHub, as well as a large number of technical details of the vulnerability.
Other leaks include server-side components written in Erlang: trickbot-command-dispatcher-backend and trickbot-data-collector-backend, known as lero and dero.
Code leakage is a double-edged sword. From a defense perspective, this will help researchers better understand how TrickBot works and then adopt more reliable defense methods; but on the other hand, these source codes will also flow into other malware In the hands of developers, guide them to develop more and even better malware like TrickBot.
reference
[1] Conti Ransomware Decryptor, TrickBot Source Code Leaked
[2] Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict