Conti is a ransomware-as-a-service (RaaS) that is thought to be controlled by a cybercrime group based in Russia. The group is known for targeting organizations where attacks could be lethal, such as hospitals, emergency number dispatch carriers, emergency medical services, and law enforcement. The group gains initial access by stealing Remote Desktop Protocol (RDP) credentials and sending phishing emails with malicious attachments. Conti also scans networks for valuable targets automatically, encrypting every file it finds and infecting all Windows operating systems. Conti behaves similarly to most ransomware, but it has been designed to be more efficient and evasive. As is the case with many modern extortion gangs. The Conti ransomware group, according to the FBI, has been responsible for hundreds of ransomware incidents over the last two years.
In this latest attack, the Costa Rica’s government agencies affected include the Ministry of Finance; the Ministry of Labor and Social Security; the Ministry of Science, Innovation, Technology and Telecommunications; the National Meteorological Institute; the Social Development and Family Allowances Fund; the Interuniversity Headquarters of Alajuela, among others. However, the entire scope of the damage is not known.
The mass email campaign includes a link to a macro-laced Microsoft Excel file, which when opened infects computers with Jester Stealer. The attack requires potential victims to enable harmful macros by opening the link within the email, which will redirect them to a macro-enabled Microsoft Excel document, which will then infect them with Jester Stealer, which has the ability to exfiltrate login credentials, credit card data, and other sensitive information. Using statically configured proxy addresses, the hackers obtain the stolen data via Telegram (e.g., within TOR). They also employ anti-analysis methods (anti-VM/debug/sandbox). Because the malware has no persistence mechanism, it is deleted as soon as its operation is finished. The new campaign's Jester Stealer malware steals data via the HTTP protocol. Stolen authentication data will be sent via HTTP POST requests to a web resource deployed on the Pipedream platform.
The attack is initiated by using phishing techniques to lure the unsuspecting victim into downloading a compressed file containing two penetration testing tools: namely Cobalt Strike and SilentBreak. These tools are used to insert malware into a system’s memory -- making it “fileless”, as this ensures there are no traces of it on the system’s local drive; making it difficult for traditional signature-based anti-malware tools to detect.
The encrypted shellcode that contains the payload is then injected into the event logs, while the launcher is put on the disk for side-loading. The launcher isn’t harmful without the shellcode, which -- as already mentioned -- is hidden in the event logs. This will now enable a Trojan to be delivered and an attack to be executed.
The phishing process begins with an email purporting to contain parcel delivery information and impersonating the DHL shipping brand. Unlike traditional phishing links, which take the victim directly to a webpage that requests sensitive information and other personally identifiable information (PII), this method attempts to initiate a conversation first with a chatbot before sneakily directing the victim to the actual phishing pages where sensitive information and PII will be obtained. It may even include a bogus CAPTCHA page in an attempt to gain the victim's trust. Furthermore, the victim may be redirected to a phishing page that requires the victim to enter vendor account credentials before proceeding to a payment step, ostensibly to cover shipping costs. The final "Secure Pay" page includes the standard credit card payment fields, such as cardholder name, card number, expiration date, and CVV code. The method of delivery remains email.
The malware is typically distributed via a sophisticated phishing campaign or social media posts that direct the victim to a bogus site of a popular service and trick them into downloading an app laced with the trojan. The malware will then scan the device to determine which apps are installed and send the results back to the command and control (C2) server. It will then request 43 permissions from the victim's device, which, if granted, will grant the threat actors complete access to the compromised device. Deeper technical analysis of the malware revealed that it can grant itself permissions (via Accessibility) upon installation, including SMS access, contact access, system alert window creation, audio recording, and full storage read and write access. When the victim tries to launch the genuine application, the injection action takes place, and a phishing page is loaded on top of the actual GUI. The credentials are sent to the same C2 that supplied the injections.
The malware was allegedly used by the scammers to reroute financial transactions and steal confidential data from oil and gas organizations in South East Asia, the Middle East, and North Africa. The primary mode of distribution is phishing emails with malicious attachments, followed by malicious online advertisements, social engineering, and software 'cracks.' Furthermore, the majority are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, with file names such as (Invoice, Shipment, P.O. – Purchase Order).
A number of samples were gathered and disguised as files with the extensions pdf and xlsx. If the exploit is successful, reconnaissance is carried out and account credentials are stolen in order to carry out a BEC attack.