• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Search
Search
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Security
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Security for Chromebook
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella and Cisco Secure Access Packages
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
      • Cisco Umbrella for Government Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Your SSE journey with Cisco
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
      • Umbrella and Duo Layered Protection
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
      • Cybersecurity Webinars
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is DNS Security
      • What is a Secure Web Gateway
      • What is a Cloud Access Security Broker (CASB)
      • What is Security Service Edge (SSE)
      • What is Secure Access Service Edge (SASE)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Quick Start Guide
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Generative AI Cybersecurity Risks and Rewards
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Clearing search keywords
Cybersecurity Threat Spotlight

Ransomware attacks, trojans, and loaders

Author avatar of Artsiom HolubArtsiom Holub
August 26, 2021 • 5 minute read
View blog >

Summer may be winding down, but August was still an active month for cybercriminals. In this edition of Threat Spotlight, our cybersecurity threat analysis team discusses the ransomware attacks, trojans, and malware loaders that bad actors are currently using to cripple networks and steal data.

Want to learn more about current threat trends? Check out the data our Threat Analysis Team has compiled.


Threat Name: Conti Ransomware

Threat Type: Ransomware
Threat Actors: UNC1878, Wizard Spider, TEMP.MixMaster, and Grim Spider. These threat actors are also known for operating Ryuk Ransomware and are known to operate a leaks site where they publish data exfiltrated from victims who do not pay a ransom.
Delivery and Exfiltration:

A graphic showing the process of a Conti Ransomware attack. The attack chain is as follows: phishing to malicious JS to IcedID DLL to Cobalt Strike beacon to RDP to data exfiltration to data encryption. The graphic indicates that Cisco Umbrella protects users against several parts of this attack chain, including: phishing, malicious JS, IcedID DLL, Cobalt Strike beacon, and data exfiltration.

Description: Conti is a variant of ransomware spread through droppers in phishing emails. It was first observed in 2020 and affects all versions of Microsoft Windows.

Conti Spotlight: Conti ransomware is often the last stage of exploitation in a series of compromises of victim systems.

Infection typically begins with delivery of a malicious javascript file, zipped as an attachment in a phishing email. If run on a Windows system, a DLL of IcedID is installed and the system starts beaconing to at least one C2 server. In reported infections, the C2 connections are the only activity for several days until a Cobalt Strike beacon is installed. Within hours, threat actors have been observed using both the IcedID DLL and Cobalt Strike payloads to explore the system, escalate privileges, move laterally, exfiltrate data, and finally encrypt all systems with AES-256 using Conti ransomware.

Conti is installed directly into memory, avoiding writing anything to disk. Persistence of the IcedID DLL and Cobalt Strike beacons have been seen via the creation of a local user, which has been added to the Administrators group. Antivirus and Endpoint detection software are typically disabled by modifying existing group policies.

Conti evades analysis by using encrypted hash values to call certain functions. While encrypting files, Conti continues attempting to connect to other systems using SMB.

Target Geolocations: North America
Target Data: Any
Target Businesses: Corporations, Government
Exploits: N/A

Mitre Att&ck for Conti
Initial Access: Phishing
Persistence: N/A
Execution: Command and Scripting Interpreter: Windows Command Shell, Native API
Evasion: Deobfuscate/Decode Files or Information, Obfuscated Files or Information Process
Injection: Dynamic-link Library Injection
Collection: N/A
Command and Control: N/A
Exfiltration: Exfiltration Over Web Service, Transfer Data to Cloud Account, Exfiltration Over C2 Channel

IOCs
IcedID C2s
68.183.20[.]194:80
159.89.140[.]116:443
vaclicinni[.]xyz
83.97.20[.]160:443
oxythuler[.]cyou
expertulthima[.]club
dictorecovery[.]cyou
thulleultinn[.]club

Cobalt Strike C2s
192.99.178[.]145:80
dimentos[.]com
docns[.]com
Tapavi[.]com

URL Paths
/us/ky/louisville/312-s-fourth-st.html
/menus.aspx
/Menus.aspx

Cobalt Strike Sha256
3b375dcda1f6019d986de1f7ae3458657e623c4f401c121e660add55d36a9e8c
4e3d8806e6c9ba334166f12ffe4e27dbde203425c882fccf1e452f77355b7d25
e974c09f204b99bfcdeb9fe4a561a28e064c612132829919f8b99a838c2b2106
af218e34e12216d56e5c6c86704804866100aa09ccb9160bc4029492c3f1f959
591677b54eb556e7e840670eccb2d62434e336af6d3908394d17cb26e99c4733

Conti DLL Hash
5c278c04bb19196dc8559d45b9728b3ba0c1bc5cdd20a766f56248e561c6f5a6

Which Cisco Products Can Block
AMP
CWS
Network Security
Secure Network Analytics
Secure Cloud Analytics
Threat Grid
Cisco Umbrella
WSA


Threat Name: FormBook

Threat Type: Trojan
Delivery and Exfiltration:

A graphic showing the attack chain of FormBook Trojan attacks. The attack chain is as follows: malspam to weaponized document to URL shortener/online storage to powershell to downloads FormBook to C&C. The graphic indicates that Cisco Umbrella protects against malspam, URL shortener/online storage, downloads FormBook, and C&C.

Description: Formbook is a trojan information stealer spread through malspam with malicious document or archive attachments. It was first observed in 2016. It operates with the malware-as-a-service (MaaS) model making it easy for cyber criminals to operate.

FormBook Spotlight: Recent campaign still utilizes Malspam vector as a means of initial access. However, weaponized files have extended from previously observed PDF and Microsoft Office documents to include Microsoft PowerPoint. Malicious actors often abuse online storage platforms and collaboration apps to host weaponized documents. The killchain also uses embedded VBA scripts, which use URL shorteners to load malicious code with Powershell. Formbook is capable of logging keystrokes, stealing clipboard contents, extracting data from HTTP sessions and network requests, grabbing passwords from browsers and email clients. One of the significant features is duplication of the ntdll.dll module – this prevents analysts from identifying the APIs and renders API monitoring mechanisms ineffective. Malware is able to detect analysis environments such as sandboxes and presence of debuggers. Persistence method includes random changes of the path, filename, file extension, and the registry key used for persistence.

Formbook can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.

Target Geolocations: United States, South Korea
Target Data: User Credentials, Banking Information
Target Businesses: Manufacturing, Aerospace, and Others
Exploits: CVE-2017-0199, CVE-2017-11882, CVE-2017-8570

Mitre Att&ck for FormBook
Initial Access: Malspam
Persistence: Registry Run Keys / Startup Folder, Hooking
Execution: Command and Scripting Interpreter: Windows Command Shell
Evasion: Obfuscated Files or Information, Virtualization/Sandbox Evasion, Process Injection
Collection: Man in the Browser, Screen Capture, Input Capture, Clipboard Data
Command and Control: N/A
Exfiltration: Exfiltration Over Command and Control Channel, Data Encrypted
References: Talos blog – FormBook

IOCs
Domains
2014ie[.]com
flixstra[.]com
savetheboxes[.]com
thegroveatcovina[.]com
insidescripps[.]net
algerie24news[.]com
blimpcitybrewing[.]com
communityhealingproject[.]com
joint-care02[.]xyz
prendre-soin-de-moi[.]com
stdymdmicrosoftfmast[.]dns[.]army
choshmardokaan[.]com
kabtex[.]com
mamerholding[.]com
megazila[.]online
serverbrake[.]com
vittalittashop[.]com
paysage-piscine[.]com
mistakenid[.]com
zteenpatti[.]com
kustomhydraulics[.]com
arisealf[.]com
iddomum[.]com

Which Cisco Products Can Block
AMP
CWS
Network Security
Secure Network Analytics
Secure Cloud Analytics
Threat Grid
Cisco Umbrella
WSA


Threat Name: BazarLoader

Threat Type: Loader
Delivery and Exfiltration:

Graphic showing the attack chain for the BazarLoader attack. The attack chain is as follows: malspam to social engineering to downloads weaponized document to downloads BazarLoader to C&C. The graphic indicates that Cisco Umbrella protects against malspam, downloads weaponized document, downloads BazarLoader, and C&C.

Description: BazarLoader (also known as BazarBackdoor or Team9 Backdoor) is a malware family which is used by adversaries to gain a foothold in compromised enterprise networks. This malware strain uses C&C domains with top-level domain .bazar. This TLD is provided by EmerDNS, a peer-to-peer decentralized domain name system in OpenNIC. This system is designed to make it very difficult, if not impossible, for law enforcement to take over these domains. Once the C2 has been established, the loader injects the payload into a system process using the process hollowing technique. The loader creates a registry key to achieve persistence. After that, follow up malware such as Trickbot is downloaded on the compromised system.

BazarLoader Spotlight: Recent campaign dubbed BazarCall uses a very unusual method to deliver malware. The messages include a telephone number in the message body, and claim that recipients have to unsubscribe from a trial of the service otherwise their credit cards would be charged. Next part of the attack leads to a legitimate-looking website, which is operated by the threat actors. When a user tries to unsubscribe the page delivers a malicious Excel or Word document. This document invokes malicious scripts to download and execute one or more payload DLL, which spawn a legitimate Windows component and inject the malware DLL into that process’ memory space. Malware then proceeds to C&C activities which include – but are not limited to – profiling, downloading additional payload, executing PowerShell scripts, quitting, deleting itself. Similar to other loaders, the presence of BazarLoader can lead to a highly dangerous infection with more sophisticated types of malware such as TrickBot.

Target Geolocations: Any
Target Data: N/A
Target Businesses: Any
Exploits: N/A

Mitre Att&ck for BazarLoader
Initial Access: Spearphishing Attachment, Spearphishing Link
Persistence: Registry Run Keys / Startup Folder, Startup Items
Privilege Escalation: Process injection
Execution: Command-Line Interface, Execution Through API, Rundll32
Evasion: Deobfuscate / Decode Files or Information, Obfuscated Files or Information, Process Injection, Virtualization/Sandbox Evasion, File deletion, Modify Registry, Rundll32
Discovery: Account Discovery, Application Window Discovery, File and Directory Discovery, Process Discovery, Query Registry, Remote System Discovery, Security Software Discovery, System Information Discovery, System Time Discovery, System Owner / User Discovery, Virtualization / Sandbox Evasion
Command and Control: Standard Application Layer Protocol
References: Talos Blog – BazarLoader

IOCs
Domains
prinpro[.]us
printequip[.]us
printools[.]us
proprin[.]us
profiprint[.]us
australiatourism[.]bazar
bestsightsofwildaustralia[.]bazar
restinaustraliaplace[.]bazar
sightsofsydney21[.]bazar
sydneynewtours[.]bazar
vacationinsydney2021[.]bazar

Which Cisco Products Can Block
Cisco Secure Endpoint
Cloud Web Security
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Suggested Blogs

  • September’s Threats: MuddyWater, Manjusaka, and SocGholish September 20, 2022 5 minute read
  • CrimsonRat, AvosLocker & MaliBot July 28, 2022 5 minute read
  • BlackCat Ransomware, ZingoStealer & BumbleBee Loader May 24, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

Facebook X LinkedIn Youtube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2025 Cisco Umbrella