Google says some former Conti ransomware gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs).
UAC-0098 is an initial access broker known for using the IcedID banking trojan to provide ransomware groups with access to compromised systems within enterprise networks.
The company’s Threat Analysis Group (TAG), a dedicated team of security experts acting as a defense force for Google users from state-sponsored attacks, started tracking this threat group in April after detecting a phishing campaign that pushed the Conti-linked AnchorMail backdoor.
“In the initial encounter with UAC-0098, ‘lackeyBuilder’ was observed for the first time. This is a previously undisclosed builder for AnchorMail, one of the private backdoors used by the Conti groups,” Google TAG said.
“Since then, the actor consistently used tools and services traditionally employed by cybercrime actors for the purpose of acquiring initial access: IcedID trojan, EtterSilent malicious document builder, and the ‘Stolen Image Evidence’ social engineering malware distribution service.”
This group’s attacks were observed between mid-April to mid-June, with frequent changes in its tactics, techniques, and procedures (TTPs), tooling, and lures, while targeting Ukrainian orgs (such as hotel chains) and impersonating the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.
In subsequent campaigns, UAC-0098 was seen delivering IcedID and Cobalt Strike malicious payloads in phishing attacks targeting Ukrainian organizations and European NGOs.
Links to the Conti cybercrime group
Google TAG says its attribution is based on multiple overlaps between UAC-0098, Trickbot, and the Conti cybercrime group.
“Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine,” Google TAG added.
“TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER.
“UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.”
The threat group’s activities detected and revealed today by Google also align with previous reports from IBM Security X-Force and CERT-UA, who also linked attacks on Ukrainian organizations and government entities to the TrickBot and Conti cybercrime gangs.
Conti is still around
The Russian-based Conti gang launched a ransomware operation in 2020, taking the place of the Ryuk ransomware group.
Over time, the gang grew into a cybercrime syndicate, taking over the development of multiple malware operations, including TrickBot and BazarBackdoor.
A Ukrainian security researcher leaked over 170,000 internal chat conversations belonging to the gang, together with the source code for the Conti ransomware encryptor, after Conti sided with Russia following its invasion of Ukraine.
While the group has since shut down the ‘Conti’ brand, the cybercrime syndicate continues to operate after splitting into smaller cells and infiltrating or taking over other ransomware or cybercrime operations.
Some ransomware gangs infiltrated by Conti members include BlackCat, Hive, AvosLocker, Hello Kitty, and the recently revived Quantum operation.
Other Conti members are now running their own data extortion operations that do not encrypt data, such as BlackByte, Karakurt, and the Bazarcall collective.
