Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent

Updated: Oct 8, 2021

By Vitali Kremez

This report is based on our actual proactive victim breach intelligence and subsequent incident response (not a simulated or sandbox environment) identified via unique high-value collections at AdvIntel.

Adversary Tactics Chain Flow:

  1. Conti Access via TrickBot, Buer, BazarBackdoor, AnchorDNS

  2. Cobalt Strike beacon

  3. Atera Agent Installation

  4. Persistence & Shell Execution to Survive Cobalt Strike detections

Adversaries leverage Cobalt Strike command-line interfaces to interact with systems and execute other software during the course of a ransomware operation.

What is Atera?

Atera is an IT management solution that enables monitoring, management, and automation of hundreds of SMB IT networks from a single console. Atera includes a remote control, patch management, discovery, inventory of IT assets, monitoring, security, backup, and more.

Deploying Atera Agent as "Backdoor"

The idea behind this tactic is to leveraging a legitimate remote management agent Atera to survive possible Cobalt Strike detections from the endpoint detection and response platform. Relying on the legitimate tool to achieve persistence is a core idea leverage by the ransomware pentesting team.

While reviewing Conti incidents that we proactively identified, monitored, and alerted via our threat prevention platform Andariel, AdvIntel has identified that Atera played the key role in allowing secret backdoor installations on the host right after the Conti gang obtained initial access via TrickBot, BazarBackdoor, AnchorDNS, or Cobalt Strike directly.

Conti Operational Handbook: Atera as Backdoor

The disgruntled Conti operator leaked the tactics matching our proactive cases.

The method includes the following steps as translated from the tutorial:

  1. Registration of the agent access via the official website

  2. Click on download and set up agent access with the script

  3. Run the agent installation via the Cobalt Strike “shell atera_run.msi”

  4. Observe the device beacon in the Atera system

  5. Remove the installation script artifacts