Author: Brad Haas
Conti is one of the most prolific ransomware operations in the threat landscape today. In a recent act of retaliation against Conti’s leaders for their support of Russia, an anonymous person leaked documentation and internal chat logs from the group. This blog post series covers important phishing-related takeaways Cofense Intelligence analysts discovered in the leaks. In Part 2, we discuss Conti’s collaboration with other malware groups, as well as their reaction to scrutiny from security researchers.
Conti-Emotet Link Cemented
When Emotet resurfaced in November 2021, some cybersecurity researchers reported that it was at the behest of Conti leadership. The leaked Conti logs confirm the collaboration, as Emotet’s primary operator was present in Conti chats using the alias “Veron” and in TrickBot forum chats as “Aron.” An exchange from the TrickBot forum chat establishes his identity:
angelo: who is Veron ?
manuel: veron )) Well, he’s
angelo: I thought it was aron
manuel: yes in our it is
On February 24, 2021—less than a month after the law enforcement takedown of Emotet—Conti members discussed his joining them:
stern: Is veron up and running?
bentley: He starts in March.
Veron was active in the chat starting in early March 2021, with many messages corroborating cybersecurity reporting on Emotet activity and its cooperation with Conti. For example, on November 23 he discussed the use of Windows App Installer packages as a delivery mechanism. Within a week, Emotet emails started to include links to those packages.
Starting in December, Emotet occasionally installed Cobalt Strike payloads, which matches Conti’s tactics. This represents a combination of two very significant phishing threats: Emotet’s massive installation base and email sending power could give Conti operators access to more victims than ever.
TrickBot is Virtually Defunct, Superseded by BazarBackdoor and Emotet
Like Emotet, TrickBot started as a banking trojan, but evolved to a more general-purpose malware family serving other groups. Conti operators used it heavily, but found that it had unnecessary features that increased risk of detection by target organizations. In May 2021, high-ranking Conti member “Stern” suggested trimming away the extra functionality:
stern: let’s modify the trick, remove the excess
stern: we don’t really need the admin logpost etc.
In the same conversation, he highlighted that its role was to enable Conti operators to explore a target network using Cobalt Strike:
stern: he says that bots don’t connect, and if they do, it’s hard to bring them to cobalt later
In a later exchange, “Mango” expressed difficulty getting a prospective team member to work with it.
mango: they’re ready. i offered them a job on trick.
mango: they said that trick is dirty s*** that no one supports
mango: I justified myself as best I could, but it’s hard to argue, of course
TrickBot has been virtually absent from the phishing threat landscape since Emotet started sending email again in November 2021. Based on frequent mentions in the chat logs, Conti operators favored BazarBackdoor as an alternative. Emotet’s major growth in February 2022 also likely provides Conti with ample opportunities to replace the functionality provided by TrickBot.
Conti Actors Stick With Effective TTPs Despite Public Scrutiny
One of the leaked internal documents is a “Hacker’s Quick Start” guide, with basic guidance concerning all aspects of Conti operations. It ends with a note instructing new employees to pay attention to the work of cybersecurity researchers, but not to let it discourage them:
Analyzing open sources about your activities is important: you will know the part of the tricks that have already been uncovered, and therefore they have become ineffective.
However, you do not know the part of the tricks that have not been disclosed. For the sake of this, the adversary may launch disinformation, concealment, and deception.
Chat logs and real-world Conti activity show that the group takes this advice seriously. In April 2021, Cofense reported on new BazarBackdoor campaigns (also called “BazarCall”) that used unique tactics, including the use of a telephone call center. Other cybersecurity researchers picked up the story as well, including one who recorded his phone conversation and published it on YouTube. Conti members noticed the attention, but didn’t believe it would impact their operations:
derek: here’s more interesting stuff – called us, it shows all how the infection looks https://www.youtube.com/watch?v=uAkeXCYcl4Y
stern: hi, great
derek: but I think it won’t affect the job much as the invoice theme is still alive and guys are still just spamming and making bots
Later in the year, they did proceed with using BazarCall to deploy their ransomware, despite the published research. DFIR Report researchers showed how a BazarCall campaign followed the Conti playbook: it installed TrickBot, which collected information and then executed Cobalt Strike. Within three days, the threat actors had gained sufficient access to execute Conti’s ransomware across the domain.
Similarly, despite the leaks’ exposure of a massive amount of internal chats and information, Conti is still moving forward with ransom operations. On March 15, 2022, they announced another victim on their public website.
This blog series will conclude with Part 3, which will cover more of Conti’s phishing strategy and tactics. If you missed the first blog in this series, we discussed the background of the leaks, Conti’s segmentation of the attack chain, and how Conti operators use OSINT to select and harass their targets.