Former members of the Russia-linked Conti ransomware gang are repurposing their tactics to join in with an initial access broker (IAB) that's been targeting Ukraine in a series of phishing campaigns that occurred over a recent four-month span.
Google Threat Analysis Group (TAG) has been tracking recent activity of a group it identifies as UAC-0098, which researchers think now includes former members of the notorious ransomware actor.
As TAG's Pierre-Marc Bureau wrote in a blog post published Wednesday, UAC-0098 — historically known for delivering the IcedID banking Trojan as a prelude to human-operated ransomware attacks — in recent months has acted specifically against Ukrainian organizations, the government of Ukraine, and pro-Ukraine European humanitarian and nonprofit organizations.
The activity's goal has been to sell persistent access into such targets' networks to various ransomware groups, including Quantum and Conti (aka FIN12 or Wizard Spider).
UAC-0098's latest campaigns demonstrate a shift in focus to politically motivated actions, reflecting the group's affiliation with Conti and, unsurprisingly, its support of Russia's military actions against Ukraine, notes Tom Kellermann, CISM and senior vice president of cyber strategy at Contrast Security.
"Conti's recent engagement in the war illustrates not only their patriotism to Russia but their need to pay homage to the regime," he said in an email to Dark Reading.
Making the Connection
Google TAG discovered five separate and specific phishing campaigns that occurred from April to August, using tools and tactics previously identified with Conti. Threat actors impersonated several known entities to lure victims into downloading malware using typical phishing tactics to give ransomware groups access for further threat activity.
The first campaign that linked UAC-0098 to Conti caught TAG's attention in late April, when researchers identified attacks delivering AnchorMail, also referred to as "LackeyBuilder." AnchorMail, developed by Conti and previously installed as a Trickbot module, is a version of the Anchor backdoor that uses the simple mail transfer protocol (SMTPS) for command-and-control (C2) communication.
"The campaign stood out because it appeared to be both financially and politically motivated," Bureau wrote in the post. "It also seemed experimental: instead of dropping AnchorMail directly, it used LackeyBuilder and batch scripts to build AnchorMail on the fly."
Researchers also identified UAC-0098 activity in another email campaign that occurred earlier in the month to deliver IcedID and Cobalt Strike as attachments to Ukrainian organizations. This particular initial phase of the group's Conti-linked activity occurred between mid-April to mid-June, and primarily targeted hotels in the Ukraine.
Another phishing attack occurred on May 11 when UAC-0098 targeted Ukrainian organizations in the hospitality industry with phishing emails impersonating the National Cyber Police of Ukraine. The emails contained a download link urging targets to use it to update their operating systems; the link generated a PowerShell script to fetch and execute IcedID.
On May 17, UAC-0098 used a compromised account of a hotel in India to send phishing emails again to Ukrainian hospitality organizations, researchers said. The emails included an attached .ZIP archive containing a malicious .XLL file that downloaded a variant of IcedID.
On that day, the same compromised account also was used to target humanitarian nongovernmental organizations (NGOs) in Italy, delivering IcedID as an .MSI file through the anonymous file sharing service dropfiles[.]me.
Two days later in a fourth separate campaign, UAC-0098 impersonated representatives of Elon Musk and his StarLink satellite service using the address "[email protected][.]info" to send phishing emails claiming to deliver software required to connect to the Internet using StarLink satellites. The email included a link to an .MSI installer dropping IcedID, downloaded from the attacker-controlled domain, "starlinkua[.]info."
Four days later, a similar attack targeted a wider range of Ukrainian organizations operating in the technology, retail, and government sectors using the same IcedID binary with a file name that resembled a Microsoft update, researchers said.
The last phishing campaign by UAC-0098 uncovered by TAG occurred on May 24, and targeted the Academy of Ukrainian Press with a phishing email containing a Dropbox link to a malicious Excel document. The document directly fetched a Cobalt Strike file from an IP address previously used to deliver IcedID payloads in the campaign against the Italian NGOs on May 17, researchers said.
Conti's Notorious Past
Conti, a ransomware group active since late 2019, ceased operations as a formal entity in May. However, its members have carried on its cybercriminal legacy, remaining as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, initial network access, and other criminal endeavors.
In its heyday, Conti was known as one of the most dangerous and ruthless ransomware groups in the world; one of its last acts, in fact, so crippled the government of Costa Rica that the country was forced into a state of emergency.
Though linked to Russia, Conti previously had flip-flopped in its support of Russia's invasion of Ukraine, initially showing support on its data leak site early in the conflict before issuing a retraction that condemned "the ongoing war." The group then noted in a statement soon after that it would take "retaliatory measures" if the West launched cyberattacks against Russia or Russian-speaking countries.
The latest alignment with UAC-0098 now appears to show that at least some former members of Conti are backing Russia once more. It also demonstrates a blurring of the lines between financially motivated and government-backed groups in Eastern Europe, "illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests," noted TAG's Bureau.
Another group that notably also has turned against Ukraine is Trickbot, which IBM researchers said in July had been systematically attacking Ukrainian targets over the previous three-month period. Trickbot over the years has evolved from a banking Trojan to an initial access broker and a distributor for several ransomware and malware tools, including the Conti and Ryuk ransomwares, and the Emotet Trojan.