Over the past five months, Google has been tracking a financially motivated threat actor known as UAC-0098, which has been conducting multiple malicious campaigns targeting various entities in Ukraine and Europe.
The group’s activities closely align with those of Russian government-backed attackers, and Google’s Threat Analysis Group (TAG) believes that at least some of UAC-0098’s members are former members of the Conti ransomware gang.
UAC-0098 is widely known for using the IcedID banking trojan in attacks that led to the deployment of human-operated ransomware, operating as an access broker for ransomware groups such as Quantum and Conti.
Recently, however, the threat actor has been targeting the Ukrainian government, various organizations in the country, and European humanitarian and non-profit organizations.
In late April, UAC-0098 was seen launching an email phishing campaign to deliver AnchorMail, a variant of the Anchor backdoor developed by the Conti group, which was previously installed as a TrickBot module.
The attacks appeared both financially and politically motivated, and also stood out because LackeyBuilder and batch scripts were used to build AnchorMail on the fly, Google says.
From mid-April to mid-June, the group was seen launching email campaigns targeting organizations in the hospitality industry in Ukraine with malware such as IcedID and Cobalt Strike.
In one campaign in May, the attackers sent phishing emails impersonating the National Cyber Police of Ukraine, while in another they used a compromised account of a hotel in India. The same email account was also used to target humanitarian NGOs in Italy, also with IcedID.
Also in May, UAC-0098 sent phishing emails impersonating representatives of Elon Musk and StarLink. Some of these emails targeted various Ukrainian organizations in the government, retail, and technology sectors.
In late May, the threat actor targeted the Academy of Ukrainian Press (AUP) with phishing emails linking to a malicious document on Dropbox, which would fetch a Cobalt Strike dll. Organizations in the hospitality industry were also targeted by these emails.
In June, UAC-0098 was seen exploiting CVE-2022-30190, a Windows vulnerability also known as Follina. Google says it disrupted a spam campaign with more than 10,000 emails impersonating the State Tax Service of Ukraine, which fetched a Cobalt Strike beacon.
“UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests,” Google notes.