Former members of the Russia-linked Conti ransomware gang are shifting their tactics to join an Initial Access Broker (IAB) that has targeted Ukraine in a series of phishing campaigns that have unfolded over the past a recent period of four months.
Google Threat Analysis Group (TAG) has been tracking recent activity by a group it identifies as UAC-0098, which researchers say now includes former members of the notorious ransomware actor.
As Pierre-Marc Office of TAG written in a blog post released on Wednesday, UAC-0098 – historically known for delivering the IcedID banking trojan as a prelude to human ransomware attacks – has acted in recent months specifically against Ukrainian organizations, the Ukrainian government, and humanitarian and non-profit organizations pro-Ukrainian Europeans.
The objective of the activity was to sell persistent access to the networks of these targets to various ransomware groups, including Quantum and Conti (aka FIN12 or Wizard Spider).
UAC-0098’s latest campaigns demonstrate a shift in focus towards politically motivated actions, reflecting the group’s affiliation with Conti and, unsurprisingly, its support for Russian military actions against Ukraine, Tom notes. Kellermann, CISM and senior vice president of cyber strategy at Contrast Security.
“Conti’s recent involvement in the war illustrates not only his patriotism towards Russia, but also his need to pay tribute to the regime,” he said in an email to Dark Reading.
Google TAG uncovered five distinct and specific phishing campaigns that ran from April to August, using tools and tactics previously identified with Conti. Threat actors have impersonated several known entities to trick victims into downloading malware using typical phishing tactics to give ransomware groups access to other threat activity.
The first campaign that linked UAC-0098 to Conti caught TAG’s attention in late April, when researchers identified attacks spreading AnchorMail, also known as “LackeyBuilder”. AnchorMail, developed by Conti and previously installed as a Trickbot module, is a version of the Anchor backdoor that uses Simple Mail Transfer Protocol (SMTPS) for command and control (C2) communication.
“The campaign stood out because it appeared to be both financially and politically motivated,” Bureau wrote in the post. “It also felt experimental: instead of removing AnchorMail directly, it used LackeyBuilder and batch scripts to create AnchorMail on the fly.”
Researchers also identified UAC-0098 activity in another email campaign that took place earlier in the month to provide IcedID and Cobalt Strike as attachments to Ukrainian organizations. This particular initial phase of the group’s Conti-related activity took place between mid-April and mid-June and was primarily aimed at hotels in Ukraine.
Another phishing attack occurred on May 11 when UAC-0098 targeted Ukrainian organizations in the hospitality industry with phishing emails impersonating the National Cyber Police of Ukraine. The emails contained a download link inviting the targets to use it to update their operating systems; the link generated a powershell script to retrieve and run IcedID.
On May 17, UAC-0098 used a compromised hotel account in India to re-send phishing emails to Ukrainian hotel organizations, researchers said. The emails included an attached .ZIP archive containing a malicious .XLL file that downloaded a variant of IcedID.
That same day, the same compromised account was also used to target humanitarian non-governmental organizations (NGOs) in Italy, providing IcedID as an .MSI file through the anonymous file-sharing service dropfiles.[.]me.
Two days later, in a separate fourth campaign, UAC-0098 impersonated representatives of Elon Musk and his StarLink satellite service using the address “[email protected][.]info” to send phishing emails claiming to provide software needed to connect to the Internet using StarLink satellites. The email included a link to an .MSI installer filing IcedID, downloaded from of the domain controlled by the attacker, “starlinkua[.]Info.”
Four days later, a similar attack targeted a wider range of Ukrainian organizations operating in the tech, retail and government sectors using the same IcedID binary with a filename that looked like an update from Microsoft, researchers said.
The latest UAC-0098 phishing campaign discovered by TAG took place on May 24 and targeted the Ukrainian Press Academy with a phishing email containing a Dropbox link to a malicious Excel document. The document directly retrieved a Cobalt Strike file from an IP address previously used to deliver IcedID payloads during the campaign against Italian NGOs on May 17, researchers said.
Conti’s notorious past
Conti, a ransomware group active since late 2019, ceased operations as a formal entity in May. However, its members carried on its cybercriminal legacy, remaining as active as ever, either as part of other ransomware groups or as independent contractors focused on data theft, initial network access and other criminal activities.
In its heyday, Conti was known as one of the most dangerous and ruthless ransomware groups in the world. one of his last acts, in fact, so paralyzed the government of Costa Rica that the country was forced into a state of emergency.
Although linked to Russia, Conti had previously flip-flopped in his support for the Russian invasion of Ukraine, initially showing his support on his data leak site at the start of the conflict before issuing a retraction condemning “the ongoing war”. The group then noted in a statement soon after that it would take “retaliatory action” if the West launched cyberattacks against Russia or Russian-speaking countries.
The latest alignment with UAC-0098 now seems to show that at least some former Conti members are backing Russia again. It also demonstrates a blurring of lines between financially motivated and government-backed groups in Eastern Europe, “illustrating a tendency for threat actors to alter their targeting to align with regional geopolitical interests,” noted the TAG Office.
Another group that has notably turned against Ukraine is Trickbot, which IBM researchers said in July had systematically attacked Ukrainian targets over the previous three months. Over the years, Trickbot has evolved from a banking Trojan to an early access broker and distributor of several ransomware and malware tools, including Conti and Ryuk ransomware, and the Emotet Trojan.