The U.S. CISA has updated the alert on Conti ransomware and added 98 domain names used by the criminal gang.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated the alert on Conti ransomware operations, the agency added 100 domain names used by the group.

The joint report published by CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) in September warned of an increased number of Conti ransomware attacks against US organizations.

The Indicators of Compromise (IoCs) added to the report was provided by the U.S. Secret Service.

Recently a Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia. He was able to access the database XMPP chat server of the Conti group.

The attack against the Conti ransomware and the data leak is retaliation for its support for the Russian invasion of Ukraine.

The leaked data in a second round included the source code for the Conti ransomware encryptor, decryptor, and builder, along with the administrative panel and the BazarBackdoor API.

The leaked data include information about the attack infrastructure used by the gang including domains employed in BazarBackdoor-based attacks.

“Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000. Notable attack vectors include Trickbot and Cobalt Strike (see below for details).” reads the report. “The following domains have registration and naming characteristics similar to domains used by groups that have distributed Conti ransomware. Many of these domains have been used in malicious operations; however, some may be abandoned or may share similar characteristics coincidentally.”

CISA added 98 domain names that were used by the gang and that share registration and naming characteristics similar to those used in Conti ransomware operations. The experts pointed out that the new domains added to the report were not included in the leak of the Ukrainian researcher.

“The following domains have registration and naming characteristics similar to domains used by groups that have distributed Conti ransomware. Many of these domains have been used in malicious operations; however, some may be abandoned or may share similar characteristics coincidentally.” continues the alert.

badiwaw[.]combalacif[.]combarovur[.]combasisem[.]combimafu[.]combujoke[.]combuloxo[.]combumoyez[.]combupula[.]comcajeti[.]comcilomum[.]comcodasal[.]comcomecal[.]comdawasab[.]comderotin[.]comdihata[.]comdirupun[.]comdohigu[.]comdubacaj[.]comfecotis[.]comfipoleb[.]comfofudir[.]comfulujam[.]comganobaz[.]comgerepa[.]comgucunug[.]com guvafe[.]comhakakor[.]comhejalij[.]comhepide[.]comhesovaw[.]comhewecas[.]comhidusi[.]comhireja[.]comhoguyum[.]comjecubat[.]comjegufe[.]comjoxinu[.]comkelowuh[.]comkidukes[.]comkipitep[.]comkirute[.]comkogasiv[.]comkozoheh[.]comkuxizi[.]comkuyeguh[.]comlipozi[.]comlujecuk[.]commasaxoc[.]commebonux[.]commihojip[.]commodasum[.]commoduwoj[.]commovufa[.]comnagahox[.]comnawusem[.]comnerapo[.]comnewiro[.]compaxobuy[.]compazovet[.]compihafi[.]compilagop[.]compipipub[.]compofifa[.]comradezig[.]comraferif[.]comragojel[.]comrexagi[.]comrimurik[.]comrinutov[.]comrusoti[.]comsazoya[.]comsidevot[.]comsolobiv[.]comsufebul[.]comsuhuhow[.]comsujaxa[.]comtafobi[.]com tepiwo[.]comtifiru[.]comtiyuzub[.]comtubaho[.]comvafici[.]comvegubu[.]comvigave[.]comvipeced[.]comvizosi[.]comvojefe[.]comvonavu[.]comwezeriw[.]comwideri[.]comwudepen[.]comwuluxo[.]comwuvehus[.]comwuvici[.]comwuvidi[.]comxegogiv[.]comxekezix[.]comFollow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Conti)

The post CISA added 98 domains to the joint alert related to Conti ransomware gang appeared first on Security Affairs.