November 24, 2024

Former members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022.

The findings, which come from Google’s Threat Analysis Group (TAG), builds upon a prior report published in July 2022, detailing the continued cyber activity aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war.

“UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks,” TAG researcher Pierre-Marc Bureau said in a report shared with The Hacker News.

“The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations.”

UAC-0098 is believed to have functioned as an initial access broker for ransomware groups such as Quantum and Conti (aka FIN12, Gold Ulrick, or Wizard Spiker), the former of which was subsumed by Conti in April 2022.

One of the prominent campaigns undertaken by the group in June 2022 entailed the abuse of Follina vulnerability (CVE-2022-30190) in the Windows operating system to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities.

But this appears to be a part of a series of attacks that commenced way back in late April 2022, when the group conducted an email phishing campaign to deliver AnchorMail (aka LackeyBuilder), a variant of the TrickBot group’s AnchorDNS implant that uses SMTP for command-and-control.

Subsequent phishing campaigns distributing IcedID and Cobalt Strike have been directed against Ukrainian organizations, repeatedly striking the hospitality sector, some of which impersonated the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.

Around mid-May, UAC-0098 is also said to have leveraged a compromised account of a hotel in India to send malware-laced attachments to organizations working in the hospitality industry in Ukraine, before expanding to humanitarian NGOs in Italy.

Similar attacks have also been observed against entities in the technology, retail and government sectors, with the IcedID binary concealed as a Microsoft update to trigger the infection. Post-exploitation steps carried out following a successful compromise have not been identified.

UAC-0098 is far from the only Conti-affiliated hacking group to set its sights on Ukraine since the onset of the war. In July 2022, IBM Security X-Force disclosed that the TrickBot gang orchestrated six different campaigns to systematically target the country with a plethora of malware.

“UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests,” Bureau said.

“The group demonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine, going as far as launching multiple distinct campaigns against the same hotel chains.”