CISA updates Conti ransomware alert with nearly 100 domain names


The US Cybersecurity and Infrastructure Security Agency (CISA) has updated the Conti ransomware alert with Indicators of Compromise (IoCs) consisting of nearly 100 domain names used in malicious operations.

Originally published September 22, 2021, the advisory includes details observed by CISA and the Federal Bureau of Investigation (FBI) in Conti ransomware attacks targeting organizations in the United States. The updated cybersecurity advisory contains US Secret Service data.

Conti IoC Domains

Internal details of the Conti ransomware operation began leaking in late February after the gang publicly announced it was siding with Russia over the invasion of Ukraine.

The leak comes from a Ukrainian researcher, who initially posted private messages exchanged by gang members, then released source code for ransomware, administrative panels, and other tools.

The data cache also included domains used for compromises with BazarBackdoor, the malware used for initial access to high-value target networks.

According to CISA, the threat actor Conti has impacted more than 1,000 organizations worldwide, with the most prevalent attack vectors being the TrickBot malware and Cobalt Strike beacons.

The agency today released a batch of 98 domain names that share “similar registration and naming characteristics” to those used in Conti ransomware attacks by groups distributing the malware.

the agency notes that although the domains have been used in malicious operations, some of them “may be dropped or may coincidentally share similar characteristics”.

Areas

badiwaw[.]com
balacif[.]com
Barovur[.]com
at the base[.]com
bimafu[.]com
bujoke[.]com
buloxo[.]com
bumoyez[.]com
bupula[.]com
cajeti[.]com
cilomum[.]com
codasal[.]com
comecal[.]com
dawasab[.]com
derotin[.]com
dihata[.]com
dirupun[.]com
dohigu[.]com
dubacaj[.]com
fecotis[.]com

fipoleb[.]com
fofudir[.]com
fulujam[.]com
ganobaz[.]com
managedpa[.]com
gucunug[.]com gouvafe[.]com
hakakor[.]com
hejalij[.]com
hepid[.]com
hesovaw[.]com
hewecas[.]com
hidusi[.]com
hireja[.]com
hoguyum[.]com
jecubat[.]com
jeguefe[.]com
joxinu[.]com
kelowuh[.]com
kidukes[.]com

kipitep[.]com
Kirute[.]com
kogasiv[.]com
kozoheh[.]com
kuxizi[.]com
kuyeguh[.]com
lipozi[.]com
lujecuk[.]com
masaxoc[.]com
mebonux[.]com
mihojip[.]com
moderate[.]com
moduwoj[.]com
movufa[.]com
nagahox[.]com
nawusem[.]com
nerapo[.]com
newiro[.]com
paxobuy[.]com
pazovet[.]com

pihafi[.]com
pilagop[.]com
pipipub[.]com
poofa[.]com
radezig[.]com
Rafif[.]com
stew[.]com
reexacted[.]com
rimurik[.]com
rinutov[.]com
Russian[.]com
sazoya[.]com
side vote[.]com
solobiv[.]com
sufebul[.]com
How? ‘Or’ What[.]com
sujaxa[.]com
tafobi[.]with tepiwo[.]com
tifiro[.]com

tiyuzub[.]com
snorkel[.]com
vafici[.]com
vegubu[.]com
vivacious[.]com
viped[.]com
vizosi[.]com
Vojefe[.]com
vonavu[.]com
wezeriw[.]com
wideri[.]com
wudepen[.]com
wuluxo[.]com
wuvehus[.]com
wuvici[.]com
wuvidi[.]com
xegogiv[.]com
xekezix[.]com

The above list of domains associated with Conti ransomware attacks appears to be different from the hundreds the Ukrainian researcher disclosed from BazarBackdoor infections.

Despite the unwanted attention Conti has recently received due to the exposure of his in-house cats and tools, the gang hasn’t curbed his activity.

Since early March, Conti has listed more than two dozen victims on his website in the United States, Canada, Germany, Switzerland, the United Kingdom, Italy, Serbia and Saudi Arabia.

Previous NIA arrests IPS officer for 'leaking' secret documents to terrorist group LeT, nie, IPS officer arrested
Next Nokia Obtains Blockchain DNS Patent - Domain Name Feed