September 25, 2023

Security researchers have discovered a ransomware campaign from a group called Monti, may be the name derived since it relies almost entirely on leaked Conti code to launch attacks.

The Monti group emerged with a round of ransomware attacks and was able to successfully exploit the Log4Shell vulnerability to encrypt 18 BlackBerry user hosts and 21 servers.

Advertisements

The threat actor initially obtained access to the client’s VMware Horizon Connection Broker server via Log4Shell exploitation. After entering the client’s environment, it installed the Google Chrome browser and used it to download attack tools to the server.

The threat actor also downloaded and installed two remote monitoring and maintenance (RMM) agents, AnyDesk and Action1 (Which is not used in any of previous ransomware attack). It used these agents to establish persistence within the network and to facilitate additional remote access.

The attackers also used tooling they’d brought into the environment to dump credentials from memory and scan the network. They used Microsoft Windows built-in RDP to connect to other servers, access data files on network shares, and eventually to deploy the “MONTI” strain of ransomware. The goal of this activity was to encrypt multiple hosts within the network including Veeam-based backups.

Advertisements

Monti Toolset

  • Action1 RMM
  • Anydesk RMM
  • Avast Anti-rootkit driver
  • GMER
  • MEGASync
  • Mimikatz
  • netscan/netscan64
  • Putty
  • PSExec
  • Veeam Get Creds
  • Veeamp
  • WINRAR
  • WinSCP

The attackers used two well-known temporary file transfer websites dropmefiles.com[.]ua and temp[.]sh to bring tools into the network and to exfiltrate data.Upon execution, the malware encrypts files on disk, adds a “.PUUUK” extension to affected files’ names.

The researchers said they believe Monti lifted Conti’s infrastructure when it was leaked last spring, during February and March.

As additional ransomware-as-a-service (RaaS) solution builders and source code become leaked, either publicly or privately, we could continue to see these doppelganger-like ransomware groups proliferate.

This research documented by researchers from BlackBerry Threat Intelligence team.

Advertisements

Indicators of Compromise

MONTI” payload SHA-256 hashes:

  1. b45fe91d2e2340939781d39daf606622e6d0b9ddacd8425cb8e49c56124c1d56
  2. 158dcb26239a5db7a0eb67826178f1eaa0852d9d86e59afb86f04e88096a19bc
  3. 702099b63cb2384e11f088d6bc33afbd43a4c91848f393581242a6a17f1b30a0

Veeam Credential Dumper SHA-256 hashes:

  • 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732
  • df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54
  • 78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d
Tags:

1 thought on “Monti Ransomware follows Heirs of Conti

  1. Pingback: Noberus Ransomware follows Monti path to infect Veeam Backups - TheCyberThrone

Leave a Reply

You may have missed

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023

Air Canada Reveals Data Exposure due to a Cyberattack

September 23, 2023

SandMan APT Group in action against Telcos

September 22, 2023
%d bloggers like this: