Ex-members of the Conti ransomware gang target Ukraine

Some members of the Conti ransomware gang were involved in financially motivated attacks targeting Ukraine from April to August 2022.

Researchers from Google’s Threat Analysis Group (TAG) reported that some former members of the Conti cybercrime group were involved in five different campaigns targeting Ukraine between April and August 2022. The activities overlap with operations attributed to a group tracked by CERT-UA as UAC-0098 [1, 2, 3].

UAC-0098 historically delivered the IcedID trojan to achieve an initial compromise to the target networks before deploying human-operated ransomware.

“The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations. TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER.” reads the TAG’s report.

TAG started monitoring UAC-0098 activity after detecting a phishing campaign delivering AnchorMail (referred to as “LackeyBuilder”) in late April 2022. The backdoor was developed by the Conti group, which installed it as a TrickBot module.

“The campaign stood out because it appeared to be both financially and politically motivated. It also seemed experimental: instead of dropping AnchorMail directly, it used LackeyBuilder and batch scripts to build AnchorMail on the fly.” continues the report. “The UAC-0098 activity was then identified in another email campaign delivering IcedID and Cobalt Strike. On April 13, at least three Excel files were sent as attachments to Ukrainian organizations”

On May 11 2022, UAC-0098 launched another campaign aimed at organizations in the hospitality industry. The malicious email were impersonating the National Cyber Police of Ukraine and the content was crafted to trick the recipient into clicking on an embedded link.

In June 2022 the group launched another campaign that relied on the Follina (CVE-2022-30190) exploit to deploy CrescentImp and Cobalt Strike Beacons on target systems in organizations of media and critical infrastructure industries.

“UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.” concludes TAG. “In the activity observed following April 2022, the group’s targeting wildly varied from European NGOs to less targeted attacks on Ukrainian government entities, organizations and individuals.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Conti ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]