Former members of the Russia-linked Conti ransomware gang are repurposing their techniques to affix in with an preliminary entry dealer (IAB) that is been focusing on Ukraine in a collection of phishing campaigns that occurred over a latest four-month span.
Google Risk Evaluation Group (TAG) has been monitoring latest exercise of a gaggle it identifies as UAC-0098, which researchers suppose now contains former members of the infamous ransomware actor.
As TAG’s Pierre-Marc Bureau wrote in a weblog submit revealed Wednesday, UAC-0098 — traditionally identified for delivering the IcedID banking Trojan as a prelude to human-operated ransomware assaults — in latest months has acted particularly in opposition to Ukrainian organizations, the federal government of Ukraine, and pro-Ukraine European humanitarian and nonprofit organizations.
The exercise’s purpose has been to promote persistent entry into such targets’ networks to numerous ransomware teams, together with Quantum and Conti (aka FIN12 or Wizard Spider).
UAC-0098’s newest campaigns show a shift in focus to politically motivated actions, reflecting the group’s affiliation with Conti and, unsurprisingly, its help of Russia’s navy actions in opposition to Ukraine, notes Tom Kellermann, CISM and senior vp of cyber technique at Distinction Safety.
“Conti’s latest engagement within the warfare illustrates not solely their patriotism to Russia however their have to pay homage to the regime,” he mentioned in an e mail to Darkish Studying.
Making the Connection
Google TAG found 5 separate and particular phishing campaigns that occurred from April to August, utilizing instruments and techniques beforehand recognized with Conti. Risk actors impersonated a number of identified entities to lure victims into downloading malware utilizing typical phishing techniques to offer ransomware teams entry for additional menace exercise.
The primary marketing campaign that linked UAC-0098 to Conti caught TAG’s consideration in late April, when researchers recognized assaults delivering AnchorMail, additionally known as “LackeyBuilder.” AnchorMail, developed by Conti and beforehand put in as a Trickbot module, is a model of the Anchor backdoor that makes use of the easy mail switch protocol (SMTPS) for command-and-control (C2) communication.
“The marketing campaign stood out as a result of it seemed to be each financially and politically motivated,” Bureau wrote within the submit. “It additionally appeared experimental: as an alternative of dropping AnchorMail straight, it used LackeyBuilder and batch scripts to construct AnchorMail on the fly.”
Researchers additionally recognized UAC-0098 exercise in one other e mail marketing campaign that occurred earlier within the month to ship IcedID and Cobalt Strike as attachments to Ukrainian organizations. This explicit preliminary part of the group’s Conti-linked exercise occurred between mid-April to mid-June, and primarily focused inns within the Ukraine.
Different Campaigns
One other phishing assault occurred on Could 11 when UAC-0098 focused Ukrainian organizations within the hospitality business with phishing emails impersonating the Nationwide Cyber Police of Ukraine. The emails contained a obtain hyperlink urging targets to make use of it to replace their working methods; the hyperlink generated a PowerShell script to fetch and execute IcedID.
On Could 17, UAC-0098 used a compromised account of a lodge in India to ship phishing emails once more to Ukrainian hospitality organizations, researchers mentioned. The emails included an hooked up .ZIP archive containing a malicious .XLL file that downloaded a variant of IcedID.
On that day, the identical compromised account additionally was used to focus on humanitarian nongovernmental organizations (NGOs) in Italy, delivering IcedID as an .MSI file via the nameless file sharing service dropfiles[.]me.
Two days later in a fourth separate marketing campaign, UAC-0098 impersonated representatives of Elon Musk and his StarLink satellite tv for pc service utilizing the deal with “[email protected][.]information” to ship phishing emails claiming to ship software program required to connect with the Web utilizing StarLink satellites. The e-mail included a hyperlink to an .MSI installer dropping IcedID, downloaded from the attacker-controlled area, “starlinkua[.]information.”
4 days later, an identical assault focused a wider vary of Ukrainian organizations working within the expertise, retail, and authorities sectors utilizing the identical IcedID binary with a file title that resembled a Microsoft replace, researchers mentioned.
The final phishing marketing campaign by UAC-0098 uncovered by TAG occurred on Could 24, and focused the Academy of Ukrainian Press with a phishing e mail containing a Dropbox hyperlink to a malicious Excel doc. The doc straight fetched a Cobalt Strike file from an IP deal with beforehand used to ship IcedID payloads within the marketing campaign in opposition to the Italian NGOs on Could 17, researchers mentioned.
Conti’s Infamous Previous
Conti, a ransomware group lively since late 2019, ceased operations as a proper entity in Could. Nevertheless, its members have carried on its cybercriminal legacy, remaining as lively as ever both as a part of different ransomware teams or as impartial contractors targeted on information theft, preliminary community entry, and different prison endeavors.
In its heyday, Conti was referred to as one of many most harmful and ruthless ransomware teams on the earth; one among its final acts, in actual fact, so crippled the federal government of Costa Rica that the nation was pressured into a state of emergency.
Although linked to Russia, Conti beforehand had flip-flopped in its help of Russia’s invasion of Ukraine, initially displaying help on its information leak website early within the battle earlier than issuing a retraction that condemned “the continuing warfare.” The group then famous in a press release quickly after that it will take “retaliatory measures” if the West launched cyberattacks in opposition to Russia or Russian-speaking nations.
The most recent alignment with UAC-0098 now seems to point out that no less than some former members of Conti are backing Russia as soon as extra. It additionally demonstrates a blurring of the strains between financially motivated and government-backed teams in Japanese Europe, “illustrating a development of menace actors altering their focusing on to align with regional geopolitical pursuits,” famous TAG’s Bureau.
One other group that notably additionally has turned in opposition to Ukraine is Trickbot, which IBM researchers mentioned in July had been systematically attacking Ukrainian targets over the earlier three-month interval. Trickbot through the years has advanced from a banking Trojan to an preliminary entry dealer and a distributor for a number of ransomware and malware instruments, together with the Conti and Ryuk ransomwares, and the Emotet Trojan.
