October 6, 2022

TheCyberThrone

Thinking Security ! Always

Monti Ransomware follows Heirs of Conti

Security researchers have discovered a ransomware campaign from a group called Monti, may be the name derived since it relies almost entirely on leaked Conti code to launch attacks.

The Monti group emerged with a round of ransomware attacks and was able to successfully exploit the Log4Shell vulnerability to encrypt 18 BlackBerry user hosts and 21 servers.

Advertisements

The threat actor initially obtained access to the client’s VMware Horizon Connection Broker server via Log4Shell exploitation. After entering the client’s environment, it installed the Google Chrome browser and used it to download attack tools to the server.

The threat actor also downloaded and installed two remote monitoring and maintenance (RMM) agents, AnyDesk and Action1 (Which is not used in any of previous ransomware attack). It used these agents to establish persistence within the network and to facilitate additional remote access.

The attackers also used tooling they’d brought into the environment to dump credentials from memory and scan the network. They used Microsoft Windows built-in RDP to connect to other servers, access data files on network shares, and eventually to deploy the “MONTI” strain of ransomware. The goal of this activity was to encrypt multiple hosts within the network including Veeam-based backups.

Advertisements

Monti Toolset

  • Action1 RMM
  • Anydesk RMM
  • Avast Anti-rootkit driver
  • GMER
  • MEGASync
  • Mimikatz
  • netscan/netscan64
  • Putty
  • PSExec
  • Veeam Get Creds
  • Veeamp
  • WINRAR
  • WinSCP

The attackers used two well-known temporary file transfer websites dropmefiles.com[.]ua and temp[.]sh to bring tools into the network and to exfiltrate data.Upon execution, the malware encrypts files on disk, adds a “.PUUUK” extension to affected files’ names.

The researchers said they believe Monti lifted Conti’s infrastructure when it was leaked last spring, during February and March.

As additional ransomware-as-a-service (RaaS) solution builders and source code become leaked, either publicly or privately, we could continue to see these doppelganger-like ransomware groups proliferate.

This research documented by researchers from BlackBerry Threat Intelligence team.

Advertisements

Indicators of Compromise

MONTI” payload SHA-256 hashes:

  1. b45fe91d2e2340939781d39daf606622e6d0b9ddacd8425cb8e49c56124c1d56
  2. 158dcb26239a5db7a0eb67826178f1eaa0852d9d86e59afb86f04e88096a19bc
  3. 702099b63cb2384e11f088d6bc33afbd43a4c91848f393581242a6a17f1b30a0

Veeam Credential Dumper SHA-256 hashes:

  • 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732
  • df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54
  • 78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d
%d bloggers like this: