Google Threat Analysis Group (TAG) experts reported that some of the former members of the Conti hack group, are now part of the UAC-0098 group, are attacking Ukrainian companies and organizations, as well as European non-governmental organizations.
Let me remind you that we talked about the fact that Conti ransomware operators “earned” at least $ 25.5 million since July 2021, and also that The source codes of the malware hack group Conti leaked to the network.Experts say that UAC-0098 is an access broker known for using the IcedID banking trojan to provide ransomware groups with access to compromised systems.
TAG has been monitoring the activity of UAC-0098 since April of this year, after discovering a phishing campaign that distributed the AnchorMail backdoor (a variant of the Anchor backdoor developed by Conti, which was previously installed as a TrickBot module) associated with Conti.
The group’s attacks were observed from mid-April to mid-June, and the attackers often changed tactics and baits. Experts say that the attacks affected various Ukrainian organizations (for example, hotel chains), and hackers pretended to be either the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.
In subsequent campaigns targeting Ukrainian organizations and European NGOs, UAC-0098 distributed IcedID and Cobalt Strike payloads through phishing attacks.
The researchers state that the attribution of the attacks is based on numerous overlaps between the tactics of UAC-0098, Trickbot and Conti.
According to the researchers, the activities of UAC-0098 are a prime example of how the lines between financially motivated and “government” attacks are blurred, and hackers can change their goals “to meet regional geopolitical interests.”