Conti ransomware members join the onslaught against Ukraine

September 12, 2022
Conti Ransomware Ukraine Malware Threat Actor Cobalt Strike

Google’s security team revealed that some of the former members of the Conti ransomware group had joined other hackers in attacking Ukraine. Based on reports, the former members of the cybercriminal group are now part of another gang called UAC-0098.

UAC-0098 works as an initial access broker that is notorious for using the IcedID banking malware. This malware provides ransomware groups access to compromised systems inside the enterprise networks.

According to the researchers, they first encountered the group called lackeyBuilder. This entity is a previously unidentified builder for AnchorMail, one of the private backdoors used by the recent shutdown Conti ransomware group.

The operators of the backdoor continuously utilised its tools and services for acquiring initial access to the targeted network. The group’s primary weapon is the IcedID trojan, used as a vector for malicious documents distributed via social engineering tactics.

The newly formed group’s attacks were monitored by researchers last April to June, and the researchers observed frequent alterations in its TTPs and lures. These new TTPs and lures heavily targeted Ukrainian organisations, especially hotel chains, and the group impersonated the country’s cyber police authority.

 

These former Conti ransomware members were seen deploying the Cobalt Strike beacon.

 

The following attacks of the Conti ransomware members have also utilised Cobalt Stroke malicious payloads for phishing attacks against European NGOs and Ukrainian entities.

Google TAG’s team stated that the group was not composed of members exclusively to Conti since there are several overlaps with other groups such as TrickBot.

Moreover, experts believe these actors have only targeted Ukraine for their attack since authorities have recently taken down their primary group.

Hence, the group offered their service as an initial access broker for several ransomware groups like Quantum and FIN12.

UAC-0098’s activities separate themselves from other groups since their attacks align with geopolitical interests instead of being financially motivated. Hence, modern threat actors are proven to be state-sponsored and politically motivated.

Other researchers have also noticed the attacks of these former Conti ransomware members and linked them to other cybercriminal activities that targeted Ukrainian organisations and government sectors these previous months.

About the author