According to Google, some former members of the Conti cybercrime gang who are now associated with the threat group UAC-0098 aimed their attacks toward European and Ukrainian non-governmental groups (NGOs).
“Recently, the attacker has shifted their aim to Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit groups.” According to the TAG report, “UAC-0098 operated as an initial access broker for different ransomware gangs including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER.”
The TAG team began monitoring this threat group in April after discovering a phishing effort that spread the AnchorMail (referred to as “LackeyBuilder”) backdoor linked to Conti group.
“Since then, the actor consistently used tools and services traditionally employed by cybercrime actors for the purpose of acquiring initial access: IcedID trojan, EtterSilent malicious document builder, and the ‘Stolen Image Evidence’ social engineering malware distribution service.”
This group targeted Ukrainian organizations from mid-April to mid-June, with regular modifications in its tactics, methods, and procedures (TTPs), tools, and lures. UAC-0098 started a new campaign on May 11th, 2022, targeted at hospitality companies. The infected emails’ content was designed to persuade the recipient to click on an attached link while posing as the National Cyber Police of Ukraine.
“The UAC-0098 activity was then identified in another email campaign delivering IcedID and Cobalt Strike. On April 13, at least three Excel files were sent as attachments to Ukrainian organizations”
UAC-0098 malware payloads are delivered via a file-sharing website. Source: Google TAG
The attribution is predicated on many overlaps between UAC-0098, Trickbot, and the Conti threat actors gang, according to Google TAG.
UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.” concludes Google TAG
The operations of the threat group, which Google discovered and made public are consistent with IBM Security X-Force and CERT-UA findings as well, which also connected the TrickBot and Conti cybercrime gangs to attacks on Ukrainian companies and government institutions.