Pages

11 September 2022

Initial access broker repurposing techniques in targeted attacks against Ukraine

Pierre-Marc Bureau

As the war in Ukraine continues, TAG is tracking an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers. This post provides details on five different campaigns conducted from April to August 2022 by a threat actor whose activities overlap with a group CERT-UA tracks as UAC-0098 [1, 2, 3]. Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine.

UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks. The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations. TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER.

TAG is sharing additional context and indicators, including disclosing new campaigns that weren’t previously detailed or attributed to the group, to assist the security community in investigating and defending against this threat.

Initial Encounter

TAG started actively tracking UAC-0098 after identifying an email phishing campaign that delivered AnchorMail (“LackeyBuilder”) in late April 2022. AnchorMail is a version of the Anchor backdoor that uses the simple mail transfer protocol (SMTPS) for command and control (C2) communication. The tool, assessed to be developed by the Conti group, previously was installed as a TrickBot module. TAG was able to connect the activity to earlier phishing emails targeting Ukraine with lures like:

No comments:

Post a Comment