CISA updates Conti ransomware warning with nearly 100 domain names

CISA updates Conti ransomware warning with nearly 100 domain names

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its warning about Conti ransomware with indicators of compromise (IoCs) comprising nearly 100 domain names used in malicious operations.

Originally published on September 22, 2021, the advisory details details observed by CISA and the Federal Bureau of Investigation (FBI) in Conti ransomware attacks targeting organizations in the US. The updated cybersecurity advisory includes data from the US Secret Service.

Conti IoC domains

Internal details of the Conti ransomware operation began leaking in late February after the gang publicly announced it would side with Russia over its invasion of Ukraine.

The leak came from a Ukrainian researcher, who initially published private messages exchanged by members of the gang and then released the source code for the ransomware, administrative panels and other tools.

The cache of data also included domains used for compromise with BazarBackdoor, the malware used for the first access to high-value targets’ networks.

CISA says Conti’s threat actor has affected more than 1,000 organizations worldwide, with the most common attack vectors being TrickBot malware and Cobalt Strike beacons.

The agency today released a batch of 98 domain names that have “registration and naming characteristics similar” to those used in Conti ransomware attacks by groups spreading the malware.

The agency notes that while the domains have been used for malicious operations, some of them “may be abandoned or happen to have similar characteristics.”

Domains

badiwaw[.]com
balacif[.]com
barovur[.]com
basic em[.]com
bimafu[.]com
bujoke[.]com
buloxo[.]com
bumoyez[.]com
bupula[.]com
cajeti[.]com
cilomum[.]com
codasal[.]com
comical[.]com
dawasab[.]com
derotin[.]com
dihata[.]com
dirupun[.]com
dohigu[.]com
Dubai[.]com
fecotis[.]com

fipoleb[.]com
fofudir[.]com
fulujam[.]com
ganoba[.]com
repaired[.]com
gucunug[.]com guvafe[.]com
hakakoro[.]com
hejalij[.]com
hepide[.]com
hesovaw[.]com
hewecas[.]com
hidusi[.]com
rental yes[.]com
hoguyum[.]com
jecubat[.]com
jegufe[.]com
joxinu[.]com
kelowuh[.]com
children[.]com

kipitep[.]com
kirute[.]com
kogasiv[.]com
kozoheh[.]com
kuxizi[.]com
kuyegu[.]com
liposia[.]com
lujecuk[.]com
masaxoc[.]com
mebonux[.]com
mihojip[.]com
modasum[.]com
moduwoj[.]com
movufa[.]com
nagahox[.]com
nawusem[.]com
nerapo[.]com
newcomer[.]com
paxobuy[.]com
pazovet[.]com

pihafi[.]com
pilagop[.]com
pipipub[.]com
pofifa[.]com
distraught[.]com
raferif[.]com
ragojel[.]com
rexagic[.]com
rimurik[.]com
rinutov[.]com
rusoti[.]com
sazoya[.]com
sidevot[.]com
solo bivy[.]com
sufebul[.]com
how so?[.]com
sujaxa[.]com
taphobia[.]com tepiwo[.]com
tifiru[.]com

tiyuzub[.]com
tubaho[.]com
vafici[.]com
vegetarian[.]com
vigave[.]com
vipedo[.]com
vizosi[.]com
vojefe[.]com
vonavu[.]com
wezeriw[.]com
wider[.]com
wudepen[.]com
wuluxo[.]com
wuvehus[.]com
wuvici[.]com
wuvidi[.]com
xegogiv[.]com
xekezix[.]com

The above list of domains associated with Conti ransomware attacks appears to be different from the hundreds that the Ukrainian researcher leaked from BazarBackdoor infections.

Despite the unwanted attention Conti has recently received due to the exposure of his internal chats and tools, the gang has not held back its activity.

As of early March, Conti has listed more than two dozen victims in the US, Canada, Germany, Switzerland, UK, Italy, Serbia and Saudi Arabia on its website.

This post CISA updates Conti ransomware warning with nearly 100 domain names

was original published at “https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/”