Conti ransomware deployed in IcedID banking Trojan attack

A 2017 banking Trojan known as IcedID and a familiar phishing email campaign were used in a recent intrusion to deliver Conti ransomware, according to a new post by threat intelligence provider The DFIR Report.

The Monday post centers on Conti, a ransomware gang first reported in 2020 that is known for hitting large and high-profile targets. The group gained recent notoriety for publicly backing Russia in its invasion of Ukraine; this was met with an enormous leak of the ransomware gang's operations.

The DFIR Report's post, titled "Stolen Images Campaign Ends in Conti Ransomware," features a single Conti ransomware deployment from December that appears to be part of a larger campaign. The attack utilized IcedID, a well-known banking Trojan from 2017 that The DFIR Report assessed with "high confidence" was delivered via the "Stolen Images Evidence" email campaign.

Microsoft published research last April about the IcedID email campaign, in which threat actors use organization contact email forms to send fake legal notifications about copyright-protected photos and images. The emails contain real links to legitimate cloud storage services like Google's and Microsoft's; those links host malicious files.

"The emails contain a link to a legitimate storage service like those offered by Google and Microsoft. In this example, 'http://storage.googleapis.com' was used to host a zip file," the DFIR Report's post read. "The zip archive contains an ISO file, which once clicked and mounted, shows a document-like LNK file. Once the victim opens that LNK file, the IcedID DLL loader executes, downloads, and runs the second stage of IcedID."

Once the IcedID malware was executed, the threat actor maintained a dwell time of 19 days, during which time they launched multiple Cobalt Strike beacons and gained lateral movement. Leading up to the ransomware attack, the actor also disabled Windows Defender using a PowerShell command.

On Day 19, the final day of the attack, the actor made two failed attempts to deploy the ransomware payload. The latter attempt involved exploiting two escalation-of-privilege vulnerabilities in Windows Active Directory. The third ransomware deployment attempt worked.

"After a failed attempt with CVE-2021-42278 and CVE-2021-42287, the threat actors executed Cobalt Strike beacons on a couple of domain controllers," the post read. "Once they established this access, around twenty minutes later, they again attempted the ransomware deployment and this time the payload executed properly and began spreading across the network via SMB."

The victim's files were then encrypted, and a ransom note was generated demanding the victim contact Conti's team, presumably to pay a cryptocurrency ransom.

"Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on [our] news website if you do not respond," the Conti note read. "So it will be better for both sides if you contact us as soon as possible."

Details on the attack's victims are not known. The DFIR Report did not respond to SearchSecurity's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.