Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Former Conti ransomware members are now targeting Ukraine

Google has identified some former Conti cyber crime gang members, who are now part of a threat group tracked as UAC-0098, have been targeting Ukrainian organisations and European non-governmental organisations (NGOs).

user icon
Thu, 08 Sep 2022
Former Conti ransomware members are now targeting Ukraine
expand image

Google's Threat Analysis Group (TAG), a dedicated team of security experts acting as a defence force for Google users from state-sponsored attacks, began tracking this threat group in April after detecting a phishing campaign that pushed the Conti-linked AnchorMail backdoor.

"In the initial encounter with UAC-0098, 'lackeyBuilder' was observed for the first time," Google TAG said.

"This is a previously undisclosed builder for AnchorMail, one of the private backdoors used by the Conti groups."

============
============

"Since then, the actor consistently used tools and services traditionally employed by cyber crime actors for the purpose of acquiring initial access: IcedID Trojan, EtterSilent malicious document builder, and the 'Stolen Image Evidence' social engineering malware distribution service," Google TAG added.

This group's attacks were observed between mid-April to mid-June, with frequent changes in its tactics, techniques, and procedures (TTPs), tooling, and lures, while targeting Ukrainian organisations (such as hotel chains) and impersonating the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.

Google TAG has also observed in subsequent campaigns that UAC-0098 was seen delivering IcedID and Cobalt Strike malicious payloads in phishing attacks targeting Ukrainian organisations and European NGOs. Its attribution is based on multiple overlaps between UAC-0098, TrickBot, and the Conti cyber crime group.

"Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cyber crime group repurposing their techniques to target Ukraine.

"TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cyber crime gang known as FIN12 / WIZARD SPIDER.

"UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests," Google TAG further explained.

The threat group's activities detected and revealed by Google TAG also align with previous reports from IBM Security X-Force and CERT-UA, which also linked attacks on Ukrainian organisations and government entities to the TrickBot and Conti cyber crime gangs.

According to BleepingComputer reports, the Russian-based Conti gang launched a ransomware operation in 2020, taking the place of the Ryuk ransomware group.

Over time, the gang grew into a cyber crime syndicate, taking over the development of multiple malware operations, including TrickBot and BazarBackdoor.

While the group has since shut down the "Conti" brand, the cyber crime syndicate continues to operate after splitting into smaller cells and infiltrating or taking over other ransomware or cyber crime operations.

Some ransomware gangs infiltrated by Conti members include BlackCat, Hive, AvosLocker, Hello Kitty, and the recently revived Quantum operation.

A Ukrainian security researcher leaked over 170,000 internal chat conversations belonging to the gang, together with the source code for the Conti ransomware encryptor after Conti sided with Russia following its invasion of Ukraine.

Other Conti members are now running their own data extortion operations that do not encrypt data, such as BlackByte, Karakurt, and the Bazarcall collective.

[Related: archTIS to expand deployment of NC Protect across Defence]

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.