Google Specialists Said That Former Members of Conti Are Attacking Ukrainian Organizations

former members of Conti
Written by Emma Davis

Google Threat Analysis Group (TAG) experts reported that some of the former members of the Conti hack group, are now part of the UAC-0098 group, are attacking Ukrainian companies and organizations, as well as European non-governmental organizations.

Let me remind you that we talked about the fact that Conti ransomware operators “earned” at least $ 25.5 million since July 2021, and also that The source codes of the malware hack group Conti leaked to the network.

Experts say that UAC-0098 is an access broker known for using the IcedID banking trojan to provide ransomware groups with access to compromised systems.

TAG has been monitoring the activity of UAC-0098 since April of this year, after discovering a phishing campaign that distributed the AnchorMail backdoor (a variant of the Anchor backdoor developed by Conti, which was previously installed as a TrickBot module) associated with Conti.

When we encountered UAC-0098, lackeyBuilder was first discovered. This is a previously unknown builder of AnchorMail, one of the private backdoors used by Conti. Since then, attackers have consistently used the tools and services traditionally used by criminals to gain initial access: the IcedID trojan, the EtterSilent malicious document builder, and the Stolen Image Evidence service for spreading malware through social engineering.analysts say.

The group’s attacks were observed from mid-April to mid-June, and the attackers often changed tactics and baits. Experts say that the attacks affected various Ukrainian organizations (for example, hotel chains), and hackers pretended to be either the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.

In subsequent campaigns targeting Ukrainian organizations and European NGOs, UAC-0098 distributed IcedID and Cobalt Strike payloads through phishing attacks.

The researchers state that the attribution of the attacks is based on numerous overlaps between the tactics of UAC-0098, Trickbot and Conti.

Based on several indicators, TAG believes that some members of UAC-0098 are former members of the Conti cybercrime group who have repurposed their methods to attack Ukraine. TAG believes that UAC-0098 is acting as an initial access broker for various ransomware groups, including Quantum and Conti, a Russian-speaking criminal group known as FIN12/WIZARD SPIDER.the company's report reads.

According to the researchers, the activities of UAC-0098 are a prime example of how the lines between financially motivated and “government” attacks are blurred, and hackers can change their goals “to meet regional geopolitical interests.”

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply