Conti Ransomware IoC- CyberSecurity & Infrastructure Security Agency updates nearly 100 domain names

0

Conti cyber threat actors remain active and announced Conti ransomware assaults against U.S. furthermore, worldwide associations have ascended to more than 1,000. Remarkable assault vectors incorporate Trickbot and Cobalt Strike.


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has refreshed the alarm on Conti ransomware with signs of giving and take (IoCs) comprising of near 100 space names utilized in malevolent activities.

To get secure against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) suggest executing the alleviation estimates depicted in this Advisory, which incorporates requiring multifaceted confirmation (MFA), carrying out network segmentation, and keeping operating systems and software up to date.

Artifacts leaked with the playbook identify four Cobalt Strike server Internet Protocol (IP) addresses Conti actors previously used to communicate with their command and control (C2) server.

  • 162.244.80[.]235
  • 85.93.88[.]165
  • 185.141.63[.]120
  • 82.118.21[.]1

The leak came from a Ukrainian researcher, who initially published private messages exchanged by the members of the gang and then released the source code for the ransomware, administrative panels, and other tools.

The cache of data also included domains used for compromises with BazarBackdoor, the malware used for initial access to networks of high-value targets.

CISA says that Conti threat actor has hit more than 1,000 organizations across the world, the most prevalent attack vectors being TrickBot malware and Cobalt Strike beacons.

The agency today released a batch of 98 domain names that share “registration and naming characteristics similar” to those used in Conti ransomware attacks from groups distributing the malware.

Domains:

badiwaw[.]com
balacif[.]com
barovur[.]com
basisem[.]com
bimafu[.]com
bujoke[.]com
buloxo[.]com
bumoyez[.]com
bupula[.]com
cajeti[.]com
cilomum[.]com
codasal[.]com
comecal[.]com
dawasab[.]com
derotin[.]com
dihata[.]com
dirupun[.]com
dohigu[.]com
dubacaj[.]com
fecotis[.]com
fipoleb[.]com
fofudir[.]com
fulujam[.]com
ganobaz[.]com
gerepa[.]com
gucunug[.]com guvafe[.]com
hakakor[.]com
hejalij[.]com
hepide[.]com
hesovaw[.]com
hewecas[.]com
hidusi[.]com
hireja[.]com
hoguyum[.]com
jecubat[.]com
jegufe[.]com
joxinu[.]com
kelowuh[.]com
kidukes[.]com
kipitep[.]com
kirute[.]com
kogasiv[.]com
kozoheh[.]com
kuxizi[.]com
kuyeguh[.]com
lipozi[.]com
lujecuk[.]com
masaxoc[.]com
mebonux[.]com
mihojip[.]com
modasum[.]com
moduwoj[.]com
movufa[.]com
nagahox[.]com
nawusem[.]com
nerapo[.]com
newiro[.]com
paxobuy[.]com
pazovet[.]com
pihafi[.]com
pilagop[.]com
pipipub[.]com
pofifa[.]com
radezig[.]com
raferif[.]com
ragojel[.]com
rexagi[.]com
rimurik[.]com
rinutov[.]com
rusoti[.]com
sazoya[.]com
sidevot[.]com
solobiv[.]com
sufebul[.]com
suhuhow[.]com
sujaxa[.]com
tafobi[.]com tepiwo[.]com
tifiru[.]com
tiyuzub[.]com
tubaho[.]com
vafici[.]com
vegubu[.]com
vigave[.]com
vipeced[.]com
vizosi[.]com
vojefe[.]com
vonavu[.]com
wezeriw[.]com
wideri[.]com
wudepen[.]com
wuluxo[.]com
wuvehus[.]com
wuvici[.]com
wuvidi[.]com
xegogiv[.]com
xekezix[.]com

The above list of domains associated with Conti ransomware attacks appear to be different from the hundreds that the Ukrainian researcher leaked from BazarBackdoor infections.

Despite the unwanted attention that Conti received recently due to the exposure of its internal chats and tools, the gang did not pull the brakes on its activity.

Since the beginning of March, Conti listed on its website more than two dozen victims in the U.S. Canada, Germany, Switzerland, U.K., Italy, Serbia, and Saudi Arabia.

( Source : Bleeping computer , CISA )


LEAVE A REPLY

Please enter your comment!
Please enter your name here