So, Conti chat logs were leaked, I got my hand on a google-translated version of it, I'll document what I found interesting 🧵
March 2021: They tried to get ahold of a @vmw_carbonblack license, detailing their roadblocks and options: Image
Conti "employees" are in fact employees and request days off and maintain non-profesionnal (or, to the very least, friendly) relationships with colleagues ImageImage
Pay transparency problems? 😂 Image
Not a problem mango was just being a good manager and raising salaries 🥰 Image
Work gossip? Apparently their work conditions are nice :) ImageImageImageImage
When discussing what appears to be antivirus evasion, they linked IBM research ImageImage
Driver is *not* happy with specter's performance 😔 They even need to explain what "+=" means. Not the most experienced dev there is, it seems 😂 ImageImage
Specter spitting facts: Image
They work in sprints, gotta love agile development :D Image
Wait did they actually successfully bought a @vmw_carbonblack license? 👀 I'll look it up Image
At last, my cyrillic knowledge got useful! The translation said they bought "sonicwolves", but when reading the original, "соникволы" reads "so-nik-voll" and could understand that they meant they bought the @SonicWall Next-Gen Firewall ImageImage
Still don't know if they successfully bought Carbon Black, but they do know the best free translator is Google Translate 😂 Image
Last useful mention of @vmw_carbonblack there is is 3-4 months later, they mention that they indeed bought it successfully but don't seem to have deployed it or done something useful with it: Image
So Stern messaged every account in feb 2021 asking who could make a scanner for the @SonicWall vulnerability (idk what CVE). He messaged... 83 accounts 🤯 That is a lot of people Image
Ah, its CVE-2020-5135: Image
June 2021: A very interesting message from Mango to Stern where they basically say their pre-encryption processes are shit among other things: Image
They have a @shodanhq license for their "OSINT Department" 😂😂 BUT they also have a signalhire license as well (most likely to find contacts for their victims and give them harassment phone calls) and they want a ZoomInfo license :o Sent by same user from the previous message ImageImage
An interesting conversation between bio and skippy, where bio is trying to negociate a payment for a big company, but the data they exfilled was mostly worthless. Lot of discussion and they seem to take the company's claims rather seriously: ImageImageImageImage
Continued: ImageImageImageImage
Derek pitches a new way to gather victims to stern. Get a database of business with IT people's phones, call them automatically. When someone answers, a real operator talk the low-level IT person into believing they missed an update (1/?) Image
but instead of making the admin install something, they cleverly say they're gonna call their boss, leaving the time for the low-level IT person to tell their boss to expect a call from a third party, making the scheme way more believable. Then, they trick the IT boss (2/3)
into installing malware, and tell them it didn't work, and schedule an in-person fix later in time, making the IT person think they're going to come fix it and that everything is normal, but leaving a lot of time for conti to prepare an attack (3/3)
I think I misread a small detail: They don't call the IT boss, they call the client the IT firm manages (I think)? The rest seems good
There are a *lot* of mentions of attacked companies that were not public. Obviously won't name them here, but it shows a lot of companies pay and never disclose their breach
I mentionned earlier they wanted a @ZoomInfo license, well they got it, I saw customers-only zoominfo links in their chats Image
Stern seems very focused on blockchain. There are a lot of mentions of them looking for "blockchain gurus" and they want to build their own blockchain it seems? Image
Elvira is a new recruit from june 2021, and they needed to prove their worth by... completing a bring-at-home test. Gratz Elvira, it took you six hours to... count the # of files by extensions in a given directory?😂If you ever think you're not good enough, bookmark this tweet ImageImage
Some insights on their salary... It does not seem like much for risking prison? Image
Holy shit, 2020 logs, and many many other things, just leaked. Source codes for many of their tools, I'll look into it. CONTI USES @laravelphp my favourite Web Framework😍 Image
The leak contains very very long screenshots (probably taken using chrome devtools or something) of BazarLoader bots IPs and full information 😲 Image
Its only 9 pages worth of screenshots though. There is also the JS code showing how they could run commands on the bots: Image
There are 36 pages where the HTML is available which could be used to parse the data, but it's not all the available data, since the last page shows that there are at least 51 pages (most likely many more) ImageImage
Oops it was right in the page, there are 3705 bots. I think we see about ~25% of them. Image
They have a little "comment" section for each bot to I guess classify them: Image
Worth noting that even though I load the HTML files offline the links point to their onion domain, perhaps indicating that the domain is hardcoded (in Bazars code, not contis). Onion domain is still up (I get a cert error), but there seem to be another step to access the service Image
Now looking into the backdoor.js leaked archive. It's a .git file, so rename to .git --> git init --> git reset --hard and you get the files. First thing i notice is they use Python2 😭😭😭 Image
The log comments are in english, authored by "steller" whom we saw in the chat logs as well Image
In the git, there are saved creds for their clearweb gitlab instance but it says SSL error when I try to connect using HTTPS. Using HTTP, there is a dummy (?) Website ImageImage
This is the TLS error I get when connecting on HTTPS: Internal Error Image
Back to backdoor.js.git: Here are the forbidden locale (if your IP comes from these countries, don't run the backdoor) Image
There are a lot of IOCs in the code (and obviously in the chat logs), Threat Intelligence vendors and intelligence agencies will have a lot of fun going through those Image
Taking a break from the code, back to the chat logs! @CrowdStrike is mentionned often in the chats in 2020, where they wanted to get a license for it but, like @vmw_carbonblack , it's only sold by h u m a n s. See 3rd image, they test with a lot of AV vendors :o ImageImageImage
They want a test task for people in university? 🤔🤔🤔🤔 Image
Is there a Twitter account for "Ransomware operators taking L's? 😂😂😂 ImageImage
Troy is an interesting member. They write in russian, but using the latin alphabet, not cyrillic. Must be a foreigner that learned russian but didn't bother to learn the keyboard layout of cyrillic. Funfact: Google translate still manages to translate that to english from russian Image
Wow. Target is NOT happy with a mistake bentley made. From my understanding, bentley ran a command on MANY hosts that displayed a visual error to the users. Oof. (this goes on for many more messages, but you get the idea LOL) ImageImageImage
There are a lot of talks about opening an office in Moscow and existing offices (going to the office). I don't think this is a translation error. офис actually means "office" (thanks, duolingo) ImageImageImage
I don't know how I missed it but the actual locker + decryptor source code was leaked as well, but it's password-protected. We can see the file names, but not the content. The source of the leak said that they'll share only with trusted people to avoid more damage. ImageImage
Back at it! So the source code of the Conti decryptor was leaked, but not the locker (still password-protected). I won't go into details of the code in this thread as many people are way better at this than me :) Image
⚠ Right after sending this tweet, I was given the full source code including the locker. Expect the full locker source code to leak soon, if not already leaked. I will *not* be sharing the source, please do not ask :)
This one is pretty good. If I understand correctly, bloodrush is having an emotional talk with best where they say that it really sucks for them to constantly be detected and cleaned up (destruction) by their victim :( ImageImage
Oct. 22 2021: Chatter about attacking 500-800 targets. Important to note, this date matches a public statement from conti where they reacted to REvil being hacked and forced offline. I don't remember seeing an attack of this scale. Did it fail? ImageImage
It's a bit hard to understand, but I think they're cooperating with TrickBot and BazarLoader to hit big on monday Oct 25 2021 and hit big companies with revenues from 50mil ruble to 90bil ruble. ImageImageImage
Earlier, I mentionned that they had access to @ZoomInfo to gather intel of their victim.Well they also have access to @crunchbase , which seems like a similar tool. Still going through the oct. 22- oct 25 logs, they were working all weekend to gather as much victims before monday ImageImage
Nothing on oct 25, 26 or 27. Maybe they have another chat platform where they coordonated that.
Oh god, in the latest leak, there are many other chat leaks from "rocket-chat". Its formatted in proper json this time, but I'll need to code something to read the messages, there is too much noise. The logs date back 2020-08-22 at the earliest. ImageImage
YES I successfully imported one small set of logs in my own rocketchat instance, so I'll be able to easily navigate, search and translate their chats Image
So it seems the "no politics at job" does not apply to Conti, they even homophobically insult Biden in the #announcements channel LOL Image
Another gem. Tarrant, what a weird subject to be chatting about in #general 😬😬😬 Image
IT'S NOT EVEN A SECRET LOL
"What does your daddy do at work?"
"Daddy negociates with americans who enable macros on untrusted documents. He's my hero 😍😍" Image
At least they have the decency of not showing PHP to their son 🤠(both messages are from Oct. 1st 2021) Image
Diversity, Equity, Inclusion....? In MY ransomware group? It's more likely than you think! Image
If you want insights in a more structured manner, @briankrebs did a fantastic article conti chat logs, and more is to come :) krebsonsecurity.com/2022/03/conti-…
hey @TrendMicro you seem to have quite a reputation in the conti group, you should be proud! 😍 Image
So one interesting thing in one of their rocketchat instances is they create one channel per victim to coordonate the operation, from initial access to impact on objective. The channel name is usually <number>-<status>-<company-domain>. If you have been breached by conti 1/2 Image
hit me up I'll give you a complete transcript of their operation in your network if I have access. 2/2 In this screenshot, tl1 stands for "Team Lead 1", this name is not translated it was in the leak directly Image
After ingesting everything, I have 190 users in rocketchat Image
Additional translations because google translate has problems with a lot of russian/tech terms
I found an interview! Silver interviews biggie. They have work hours. Their "company" creates "software for pentesters" ImageImageImageImage
They pay candidates to do their bring-at-home test?? If we should learn one thing from them, let it be this 👀 Image
If you're interested in the technical procedures they give their operators, have a read!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Émilio Gonzalez @res260@infosec.exchange

Émilio Gonzalez @res260@infosec.exchange Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @res260

Mar 4, 2022
#ContiLeak 🧵! This time, management/developpers documentation 📄
CODING PRINCIPLES
Those are surprisingly good principles. "The wrong choice will grow in the code forever!" ✅✅✅✅✅ FACTS
GIT POLICY
Like all of us, they use git for all the good reasons :) Perhaps the most interesting thing is that they actually track issues in an "accounting system" with ticket numbers (3rd image). JIRA USERS REJOICE, IF CRIMINALS DO IT IT MUST BE USEFUL🎉🎉🎉🎉
Read 10 tweets
Mar 3, 2022
Another #ContiLeaks 🧵This one should be smaller 😂 In the rocketchat logs, a channel "manuals_team_c" contained 16 procedures from reconnaissance to exfiltration. I translated (with the help of @sys6x) them, here they are: github.com/Res260/conti_2…
INITIAL ACTIONS
This one details the general ideas and the steps most cases will require. Reconnaissance using AD, enum shares, privesc, creds dumping using known techniques, etc. I found interesting that they inject a TLS listener. I wonder if it yields good results.
USEFUL COMMANDS
This one details how to take control of a host, presumably from the trickbot/bazar botnet console, and a lot of frequent commands. Those are small cmds, but we'll see that they have some longer cmds as well. Also mention the need to find the NAS to delete backups
Read 17 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(