Log in
E-mail
Password
Show password
Remember
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Settings
Settings
Dynamic quotes 
OFFON
  1. Homepage
  2. Equities
  3. United States
  4. Nasdaq
  5. Splunk Inc.
  6. News
  7. Summary
    SPLK   US8486371045

SPLUNK INC.

(SPLK)
  Report
SummaryQuotesChartsNewsRatingsCalendarCompanyFinancialsConsensusRevisions 
SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector newsMarketScreener Strategies

Splunk : Conti Threat Research Update and Detections

07/30/2021 | 05:00pm EDT
Share:
By Splunk Threat Research Team July 30, 2021

The Splunk Threat Research team has researched two of the current payloads involved in these heinous campaigns against healthcare and first responder organizations such as Conti & REvil. In the first blog, we explored the REvil ransomware group and in this blog, we will explore Conti.

The Conti ransomware payload is said to have surfaced in the year 2020 and is associated with some of the following attack vectors:

  • RDP brute force
  • Use of weaponized word documents
  • Use of Cobalt Strike payload
  • Emotet payload
  • Delivery via DLLs
  • Credential access via Mimikatz
  • Sysinternals tools
  • Trickbot payload
  • Double extortion plot. Besides ransomware deployment, the threat of publishing sensitive information if the ransom is not paid
  • Communication with victims via VOIP or Protonmail
  • Remote Access Tools using VPS Infrastructure (Ports 80,443,8080,8443)
  • Use of internet storage service MegaNZ
  • AES-256 Encryption applied to system objects (files, shares)

In this blog, I'll show you how I used Splunk Attack Range, an open-source tool used to simulate cyber attacks. The following screen captures show how Conti ransomware was executed via Splunk Attack Range.

How Conti Ransomware is Executed in a Simulation

First, we see the ransomware note, presenting a Darkweb address that victims need to visit in order to receive further instructions.

In the following graphic, the victim is asked to upload readme.txt created by the Conti ransomware payload.

Once we upload the readme.txt to the Conti recovery service site hosted at the Darkweb we are presented with a chat window where we can see actual victims being threatened and trying to negotiate ransom payments in a chat platform titled 'CONTI Recovery service'. Criminals have also observed posting files they allegedly obtained from victim systems

Further research on this group's pages at the dark web reveals a 'news' site where they publish information obtained from victims.

Conti Ransomware Features

Ransomware Conti is also known for obfuscating and encrypting its code. The screenshot below shows the different encrypted command line parameters that will be decrypted to check which file encryption feature it needs to execute in a compromised host. If no parameter is found the default is to encrypt all local drives and network share.

CommandLine Arguments

Description

-p [folder path]

Encrypt file in the specified folder path

-m local

Encrypt all local drives

-m net

Encrypt all network share

-m all

Encrypt all local and network drives/share

-log [log file name]

Generate a log file of its encryption

-nomutex

No Conti mutex created in the machine

-size

Encrypt files by chunk size

Log File: Below is the screenshot of a Conti log file generated as you use the -log feature.

File Encryption and Ransomware Notes

In the Conti sample we have analyzed, we found that it uses the '.LSNWX' file extension for all files it will encrypt in either/both local drive and network share. Below are screenshots of its code creating .LSNWX files, as well as some files getting encrypted.

Below is the screenshot of a log file generated with -m full parameter.

Conti code as it generates the ransomware notes on the affected directory, root drive or network share.

File Extensions Avoided

As soon as Conti ransomware finds some files during the encryption process, it will check its file extensions or file name if it is one of the file extensions it wants to avoid encrypting. Below is the list of file extensions and file names we found skips in this malware sample.

.exe, .dll, .sys, .msi, readme.txt, .lnk, .LSNWX, .bat, CONTI_LOG.TXT

Targeted File Extensions: We also found several file extensions decrypted by this ransomware in memory for small and big files that it wants to encrypt. Below is the screenshot of memory as well as the complete list of the file extensions.

'.4dd', '.4dl', '.accdb', '.accdc', '.accde', '.accdr', '.accdt', '.accft', '.adb', '.ade', '.adf', '.adp', '.arc', '.ora', '.alf', '.ask', '.btr', '.bdf', '.cat', '.cdb', '.ckp', '.cma', '.cpd', '.dacpac', '.dad', '.daschema', '.db', '.db-shm', '.db-wal', '.db3', '.dbc', '.dbf', '.dbs', '.dbt', '.dbv', '.dbx', '.dcb', '.dct', '.dcx', '.ddl', '.dlis', '.dp1', '.dqy', '.dsk', '.dsn', '.dtsx', '.dxl', '.eco', '.ecx', '.edb', '.epim', '.exb', '.fcd', '.fdb', '.fic', '.fmp', '.fmp12', '.fmpsl', '.fol', '.fp3', '.fp4', '.fp5', '.fp7', '.fpt', '.frm', '.gdb', '.grdb', '.gwi', '.hdb', '.his', '.ib', '.idb', '.ihx', '.itdb', '.itw', '.jet', '.jtx', '.kdb', '.kexi', '.kexic', '.kexis', '.lgc', '.lwx', '.maf', '.maq', '.mar', '.mas', '.mav', '.mdb', '.mdf', '.mpd', '.mrg', '.mud', '.mwb', '.myd', '.ndf', '.nnt', '.nrmlib', '.ns2', '.ns3', '.ns4', '.nsf', '.nv', '.nv2', '.nwdb', '.nyf', '.odb', '.oqy', '.orx', '.owc', '.p96', '.p97', '.pan', '.pdb', '.pdm', '.pnz', '.qry', '.qvd', '.rbf', '.rctd', '.rod', '.rodx', '.rpd', '.rsd', '.sas7bdat', '.sbf', '.scx', '.sdb', '.sdc', '.sdf', '.sis', '.spq', '.sql', '.sqlite', '.sqlite3', '.sqlitedb', '.te', '.temx', '.tmd', '.tps', '.trc', '.trm', '.udb', '.udl', '.usr', '.v12', '.vis', '.vpd', '.vvv', '.wdb', '.wmdb', '.wrk', '.xdb', '.xld', '.xmlff', '.abcddb', '.abs', '.abx', '.accdw', '.adn', '.db2', '.fm5', '.hjt', '.icg', '.icr', '.kdb', '.lut', '.maw', '.mdn', '.vdi', '.vhd', '.vmdk', '.pvm', '.vmem', '.vmsn', '.vmsd', '.nvram', '.vmx', '.raw', '.qcow2', '.subvol', '.bin', '.vsv', '.avhd', '.vmrs', '.vhdx', '.avdx', '.vmcx'

Conti Detections

Conti Common Exec parameter (New)

| tstats `security_content_summariesonly` count min(_time) 
as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
  where Processes.process = '*-m local*' OR Processes.process = '*-m net*' 
OR Processes.process = '*-m all*' OR Processes.process = '*-nomutex*'
  by Processes.process_name Processes.process Processes.parent_process_name 
Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid

Detection

Techniques ID

Tactic(s)

Description

Ransomware Notes bulk creation (Existing)

T1486

Impact

Detects suspicious bulk creation of ransomware notes (.txt, hta, html) in compromised machine

High Process Termination Frequency (Existing)

T1486

Impact

Detects a suspicious big number of terminated processes within a time frame.

Suspicious Process File Path (Existing)

T1543

Persistence, Privilege Escalation

Detects process with suspicious file path

Disable Windows Behavior Monitoring (Existing)

T1562.001

Impair Defenses: Disable or Modify Tools

Detects the disablement of Windows Defender monitoring

Windows DisableAntiSpyware Registry (Existing)

T1562.001

Impair Defenses: Disable or Modify Tools

Detects the disablement of Defender via the registry

Attempt To Stop Security Service (Existing)

T1562.001

Impair Defenses: Disable or Modify Tools

Detects an attempt to stop a security service.

Account Discovery With Net App (Existing)

T1087.002

Account Discovery: Domain Account

Detects account discovery using net.exe

NLTest Domain Trust Discovery (Existing)

T1482

Domain Trust Discovery

Detects the usage of nltest.exe performing domain discovery.

DSQuery Domain Discovery (Existing)

T1482

Domain Trust Discovery

Detects usage of DSQuery performing domain discovery

Create Service In Suspicious File Path (Existing)

T1569.001

System Services: Service Execution


Detects services with suspicious file path

Suspicious Rundll32 Activity (Existing)

T1218.011

Signed Binary Proxy Execution: Rundll32


Identifies suspicious Rundll32.exe usage

Create local admin accounts using net exe (Existing)

T1136.001

Create Account: Local Account


Identifies the creation of a local account with net.exe

Detect Credential Dumping through LSASS access (Existing)

T1003.001

OS Credential Dumping: LSASS Memory


Identification of suspicious LSASS access

Detect PsExec With accepteula Flag (Existing)

T1021.002

Remote Services: SMB/Windows Admin Shares

Detect PsExec with AcceptEula flag usage.

Processes launching netsh (Existing)

T1562.004

Impair Defenses: Disable or Modify System Firewall

Detect processes spawning netsh.exe

Conti Malware

SHA256: 59A9F0DE96EFF57768E995B296AE75778A232F30D95A7B7AB5048C621B50C66D

You can also simulate the attack with Splunk Attack Range and use our pre-built tested detections to monitor the environment.

Disclaimer

Splunk Inc. published this content on 30 July 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 30 July 2021 20:59:29 UTC.


ę Publicnow 2021
All news about SPLUNK INC.
09/21TENABLE : Splunk Expand Partnership to Help Customers Tackle Cybersecurity Weaknesses
MT
09/21INSIDER SELL : Splunk
MT
09/21SPLUNK : Expanded Customer Adoption Lands Splunk First in 2020 IT Operations Analytics Mar..
PU
09/21Tenable and Splunk Secure Active Directory and Converged IT/OT Environments
CI
09/21SPLUNK : Ranks No. 1 in ITOA Market Share for Seventh Consecutive Year
BU
09/20SPLUNK : Delivers Real-Time Salesforce Visibility with New Streaming API Integration
PU
09/17SPLUNK : .conf21 With Us Virtually
PU
09/17SPLUNK : Hunting for Malicious PowerShell using Script Block Logging
PU
09/16SPLUNK : What Is Distributed Tracing and Why You Need It
PU
09/16DEVOPS AT .CONF21 : Adding Observability to your Splunk Tool Belt
PU
More news
Analyst Recommendations on SPLUNK INC.
More recommendations
Financials (USD)
Sales 2022 2 574 M - -
Net income 2022 -1 424 M - -
Net Debt 2022 464 M - -
P/E ratio 2022 -17,3x
Yield 2022 -
Capitalization 24 214 M 24 214 M -
EV / Sales 2022 9,59x
EV / Sales 2023 7,84x
Nbr of Employees 6 500
Free-Float 97,2%
Chart SPLUNK INC.
Duration : Period :
Splunk Inc. Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends SPLUNK INC.
Short TermMid-TermLong Term
TrendsNeutralBullishNeutral
Income Statement Evolution
Consensus
Sell
Buy
Mean consensus OUTPERFORM
Number of Analysts 37
Last Close Price 149,89 $
Average target price 178,58 $
Spread / Average Target 19,1%
EPS Revisions
Managers and Directors
Douglas S. Merritt Co-President, Chief Executive Officer & Director
Teresa H. Carlson Co-President & Chief Growth Officer
Jason E. Child Chief Financial Officer & Senior Vice President
Graham Vivian Smith Chairman
Shawn Bice President-Products & Technology
Sector and Competitors
1st jan.Capi. (M$)
SPLUNK INC.-12.78%24 214
MICROSOFT CORPORATION34.24%2 215 390
SEA LIMITED69.46%181 874
ATLASSIAN CORPORATION PLC73.77%102 164
ZOOM VIDEO COMMUNICATIONS, INC.-17.60%82 673
DASSAULT SYSTÈMES SE51.16%78 518