Emerging Threats

ThreatLabz April 2022 Report: Conti attacks, BlackGuard sells, Spring springs a leak, and FFDroider gets social

Apr 25, 2022
ThreatLabZApril 2022 Report

In the past month, the Zscaler ThreatLabZ security research team has documented a resurrection of Conti ransomware attacks, the arrival of a new info-stealer dubbed BlackGuard, the appearance of vulnerabilities in the Spring Cloud Framework, and the distribution of malware targeting social-media account credentials.

Despite leak of its source code, Conti ransomware group continues attacks

In late February, a hacker released source code and chat logs associated with the Conti threat group, allegedly in retaliation for Russia’s attack on Ukraine. Though the leak has exposed the code of the Conti group’s ransomware variants, it has not slowed the gang’s criminal efforts, and it has continued to attack organizations and conduct business as usual.

The ThreatLabZ team has reviewed those variants and reverse-engineered the latest iteration of Conti ransomware, one we first tracked in January. Conti’s most recent updates include improved file encryption, new techniques to better evade security software, and a streamlined ransom payment process.

Command-Line Argument



Previously used to log ransomware actions; this functionality has been removed, but the command-line switch remains an artifact from the previous version


Start encryption using the specified path as the root directory


Size parameter for large file encryption


Encryption mode local (disks) or net (network shares); the all and backups options were removed


Log in to Windows Safe Mode as the specified user


Log in to Windows Safe Mode as the user with the corresponding password


Force reboot the system and launch Conti in Windows Safe Mode


Disable Windows Safe Mode and reboot the system (used after file encryption occurs in Windows Safe Mode)


Previously used to prevent the creation of a mutex; currently unused

Table 1. Conti command-line arguments updated in January 2022


When activated on a victimized Windows machine, Conti reboots the system in Windows Safe Mode, enables networking, and then starts encrypting files. Booting in safe mode limits the number of applications (like a business database, for example) running in the background. Also, Windows Safe Mode typically launches without turning on security or antivirus applications. The safe-mode approach isn’t new (REvil and BlackMatter have employed it), but it allows the ransomware to encrypt more files and elude detection.

It’s not yet clear how the source-code leaks will affect Conti’s malware, but it doesn’t appear to have yet interfered with the group’s ransomware campaign operations. ThreatLabZ expects the Conti gang to further update the malware and potentially rebrand as the source code leaks have damaged its reputation. Another threat: Other criminal groups may seek to save on malware development and just fork the Conti source code.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Read ThreatLabZ detailed analysis of the Conti ransomware variant here.

New “BlackGuard” info-stealer offered for sale in Russian hacking forums

There are several hacking forums that serve as underground marketplaces where cybercriminals buy, rent, and sell all kinds of malicious illegal products, including software, trojans, stealers, exploits, and leaked credentials.

As part of its security research, the Zscaler ThreatLabZ team documents criminal activities in dark-web hacking forums. Recently, we discovered a Malware-as-a-Service (MaaS) offering called “BlackGuard”, a sophisticated infostealer, being openly distributed via Russian hacking forums. Aspiring threat actors can purchase lifetime access to Blackguard for only USD $700, or can subscribe for USD $200 per month.

BlackGuard acts as an information stealer and has the capability to steal all types of data related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.

"BlackGuard Info-stealer"

Figure 2. Russian hacking forum thread promoting the BlackGuard stealer

BlackGuard is in active development on the .NET platform. It employs these key capabilities:

  • Anti-detection: Once executed, it checks and kills the processes related to antivirus and sandbox.
  • String Obfuscation: The stealer contains a hardcoded array of bytes which is decoded in runtime to ASCII strings followed by base64 decoding. This allows it to bypass antivirus and string-based detection.
  • Anti-CIS: BlackGuard checks for the infected device country by sending a request to “http://ipwhois.app/xml/” and exits itself if the device is located in the Commonwealth of Independent States (CIS).
  • Anti-Debug: BlackGuard uses user32!BlockInput() which can block all mouse and keyboard events in order to disrupt attempts at debugging.
  • Stealing Function: After all the checks are completed, the stealer function gets called which collects information from various browsers, software, and hardcoded directories.
  • Browsers: BlackGuard steals credentials from Chrome- and Gecko-based browsers using the static path. It has the capability to steal history, passwords, autofill information, and downloads.
  • Cryptocurrency Wallets: BlackGuard supports the stealing of wallets and other sensitive files related to crypto wallet applications.
  • Crypto Extensions: This stealer also targets crypto wallet extensions installed in Chrome and Edge with hardcoded extension IDs.
  • C2 Exfiltration: After collecting the information, BlackGuard creates a .zip of all the files and sends it to the C2 server through a POST request along with the system information like Hardware ID and country.

While its focus might be narrow, BlackGuard represents a growing threat. The threat group behind it continues active development, and the MaaS-based malware offering is gaining a strong reputation in the underground community. To combat BlackGuard and similar infostealer malware, we recommend security teams inspect all traffic and use malware prevention tools that include both IPS (for known threats) and sandboxing capabilities (for unknown threats). 

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Read ThreatLabZ detailed analysis of the BlackGuard malware here.

Two new vulnerabilities discovered in the Spring Cloud Framework

Spring Cloud is a module of the open-source Spring Cloud Framework, a rapid-application development environment for cloud apps. In the last month, both have been flagged for remote-code execution (RCE) vulnerabilities.

The two issues are the Spring Expression Resource Access Vulnerability (tracked as CVE-2022-22963) and the Spring4Shell or SpringShell vulnerability (tracked as CVE-2022-22965).

The Spring Expression Resource Access Vulnerability can be found in Spring Cloud Function versions 3.1.6 and 3.2.2 or prior. It has been classified as a medium severity issue, but the extent of its impact is not yet known. When exploited, the Spring Expression Resource Access Vulnerability can provide access to critical systems/resources to the unauthenticated adversary. 

The Spring4Shell or SpringShell vulnerability is more serious, and has been logged as a critical severity issue. When exploited, it can lead to remote-code execution in the Spring Cloud Framework via data binding on JDK 9+. Concerningly, this vulnerability can be easily exploited via a simple crafted HTTP request sent to a vulnerable server. 

Zscaler’s ThreatLabZ team has deployed protection for all known POCs for these vulnerabilities. The Spring Foundation has released new Spring Cloud Framework versions 3.1.7 and 3.2.3 to patch these vulnerabilities. Zscaler strongly recommends Spring Cloud Framework developers upgrade to these versions immediately.

Zscaler Zero Trust Exchange Coverage:  Zscaler Private Access with Application Security, Advanced Threat Protection, SSL Inspection

Read the detailed ThreatLabZ analysis of the two Spring Cloud Framework vulnerabilities here.

FFDroider Stealer Targeting Social Media Platform Users

A new malware strain disguises itself as the freeware “Telegram” messaging application. The Zscaler ThreatLabZ discovered the info-stealer, and has named it Win32.PWS.FFDroider for its creation of a registry key called “FFDroider.”

ThreatLabZ has observed many recent campaigns related to the FFDroider stealer. It arrives on a targeted system via the compromised URL download.studymathlive[.]com/normal/lilay.exe. The malware is hidden in a malicious program embedded into cracked versions of installers and freeware. It runs on Chrome, Firefox, Internet Explorer, and Microsoft Edge browsers.

"FFDroider attack cycle"

Figure 3. FFDroider attack cycle

ThreatLabZ documented key characteristics of the FFDroider malware:

  • Steals cookies and credentials from the victim’s machine
  • Targets e-commerce and social media platforms including Facebook, Instagram, Amazon, eBay, Etsy, and Twitter
  • Signs into victims' accounts using stolen cookies and extracts account information 
  • Leverages inbound white-listing rules in Windows Firewall allowing the malware to be copied at desired location
  • Increments infection count via iplogger.org 

Interestingly enough, we discovered a “debug state” left in the code by its developers. If the filename at the time of execution is “test.exe,”  then the malware goes into its debug state and pops up messages with every loop, then prints out the stolen cookies and the final JSON body which is sent to the command-and-control (C2) server.

The Zscaler ThreatLabZ team continues to monitor FFDroider campaigns, as well as related attacks.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Read the ThreatLabZ team’s detailed analysis of FFDroider here.

What to read next:

ThreatLabz March 2022 Report: Everything to know about the Okta breach, cyberattacks stemming from the Russia-Ukraine conflict

ThreatLabZ February 2022 Report: Molerats APT attacks, Formbook rebrands as Xloader, and repelling Log4j threats with Zero Trust

ThreatLabZ December 2021 Report: Holiday shoppers targeted, Log4j hits Apache installs, Cloud (In)Security, and DarkHotel resurfaces