Conti ransomware deployed in IcedID banking trojan attack

A 2017 banking trojan known as IcedID and a familiar phishing email campaign were used in a recent intrusion to deliver Conti ransomware, according to a new message from the intelligence provider. threats The DFIR Report.

Monday’s post centers on Conti, a ransomware gang first reported in 2020 and known to hit high profile and high profile targets. The group has recently gained notoriety for publicly supporting Russia in its invasion of Ukraine; this resulted in a huge leak of ransomware gang operations.

The DFIR Report post, titled “Stolen Image Campaign Ends in Conti Ransomwarefeatures a single deployment of Conti ransomware from December that appears to be part of a larger campaign. The attack used IcedID, a well-known banking Trojan from 2017 that the DFIR report rated with a “high trust” was delivered via the “Stolen Images Proof” email campaign.

Microsoft published research last April about the IcedID email campaign, in which threat actors use the organization’s contact forms to send fake legal notices about copyrighted photos and images. The emails contain real links to legitimate cloud storage services like those from Google and Microsoft; these links host malicious files.

“The emails contain a link to a legitimate storage service such as those offered by Google and Microsoft. In this example, ‘’ was used to host a zip file,” it reads. in the DFIR report message. “The zip archive contains an ISO file, which when clicked and mounted displays a document-like LNK file. Once the victim opens this LNK file, the IcedID DLL loader executes, downloads, and executes the second stage of IcedID .”

Once the IcedID malware was executed, the threat actor maintained a waiting time of 19 days, during which time they launched several Cobalt Strike tags and got a lateral move. Prior to the ransomware attack, the actor also disabled Windows Defender using a PowerShell command.

On Day 19, the last day of the attack, the actor made two failed attempts to deploy the ransomware payload. This latest attempt involved the exploitation of two privilege escalation vulnerabilities in Windows Active Directory. The third ransomware deployment attempt worked.

“After a failed attempt with CVE-2021-42278 and CVE-2021-42287, threat actors executed Cobalt Strike beacons on a few domain controllers,” the message reads. “Once they established this access, approximately twenty minutes later, they again attempted to deploy the ransomware and this time the payload executed successfully and began spreading across the network via SMB. “

The victim’s files were then encrypted and a ransom note was generated asking the victim to contact Conti’s team, presumably to pay a ransom in cryptocurrency.

“Just in case, if you try to ignore us. We’ve uploaded a pack of your internal data and are ready to post it to [our] news site if you don’t respond,” Conti’s memo read. “So it will be better for both parties if you contact us as soon as possible.

Details of the victims of the attack are not known. The DFIR report did not respond to SearchSecurity’s request for comment.

Alexander Culafi is a Boston-based writer, journalist, and podcaster.

Comments are closed.