Former members of the Conti cybercrime cartel were involved in five different campaigns targeting Ukraine from April to August 2022.
The findings, which come from Google’s Threat Analysis Group (TAG), build on an earlier report published in July 2022, detailing continued cyber activity targeting the Eastern European nation amid the Russian-Ukrainian war in Classes.
“UAC-0098 is a threat actor that has historically delivered the banking trojan IcedID, leading to human-operated ransomware attacks,” said TAG researcher Pierre-Marc Bureau. said in a report shared with The Hacker News.
“The attacker has recently focused on Ukrainian organisations, the Ukrainian government and European humanitarian and non-profit organizations.”
UAC-0098 is believed to have functioned as an initial access broker for ransomware groups such as Quantum and Conti (aka FIN12, Gold Ulrick or Wizard Spiker), the former of which was taken over by Conti in April 2022.
One of the major campaigns undertaken by the group in June 2022 involved the abuse of the Follina vulnerability (CVE-2022-30190) in the Windows operating system to deploy CrescentImp and Cobalt Strike Beacons to targeted hosts in the media and critical infrastructure.
But it appears to be part of a series of attacks that began in late April 2022, when the group ran a phishing email campaign to provide AnchorMail (aka LackeyBuilder), a variant of the TrickBot group’s AnchorDNS implant. which uses SMTP for the command. -and-control.
Subsequent phishing campaigns distributing IcedID and Cobalt Strike were directed against Ukrainian organizations, repeatedly hitting the hospitality industry, some of which impersonated the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.
Around mid-May, UAC-0098 also allegedly exploited a hotel’s compromised account in India to send attachments containing malware to organizations working in the hospitality industry in Ukraine, before spreading to Humanitarian NGOs in Italy.
Similar attacks have also been seen against entities in the technology, retail, and government sectors, with the IcedID binary concealed as a Microsoft update to trigger the infection. The post-exploitation steps performed following a successful compromise have not been identified.
UAC-0098 is far from the only Conti-affiliated hacking group to have set its sights on Ukraine since the start of the war. In July 2022, IBM Security X-Force revealed that the TrickBot gang had orchestrated six different campaigns to systematically target the country with a plethora of malware.
“UAC-0098’s activities are representative examples of blurred lines between financially motivated and government-backed groups in Eastern Europe, illustrating a tendency for threat actors to alter their targeting to align with regional geopolitical interests,” Bureau said.
“The group demonstrates a keen interest in violating companies operating in the hotel industry in Ukraine, going so far as to launch several separate campaigns against the same hotel chains.”