Cyber Security

Some Members of Conti Group Concentrating on Ukraine in Financially Motivated Assaults

Some Members of Conti Group Concentrating on Ukraine in Financially Motivated Assaults
Written by admin


Some Members of Conti Group Concentrating on Ukraine in Financially Motivated Assaults

Former members of the Conti cybercrime cartel have been implicated in 5 totally different campaigns focusing on Ukraine from April to August 2022.

The findings, which come from Google’s Menace Evaluation Group (TAG), builds upon a prior report revealed in July 2022, detailing the continued cyber exercise aimed on the Japanese European nation amid the continuing Russo-Ukrainian struggle.

“UAC-0098 is a risk actor that traditionally delivered the IcedID banking trojan, resulting in human-operated ransomware assaults,” TAG researcher Pierre-Marc Bureau stated in a report shared with The Hacker Information.

CyberSecurity

“The attacker has just lately shifted their focus to focusing on Ukrainian organizations, the Ukrainian authorities, and European humanitarian and non-profit organizations.”

UAC-0098 is believed to have functioned as an preliminary entry dealer for ransomware teams comparable to Quantum and Conti (aka FIN12, Gold Ulrick, or Wizard Spiker), the previous of which was subsumed by Conti in April 2022.

Financially Motivated Attacks

One of many distinguished campaigns undertaken by the group in June 2022 entailed the abuse of Follina vulnerability (CVE-2022-30190) within the Home windows working system to deploy CrescentImp and Cobalt Strike Beacons on to focused hosts in media and demanding infrastructure entities.

However this seems to be part of a collection of assaults that commenced means again in late April 2022, when the group performed an e mail phishing marketing campaign to ship AnchorMail (aka LackeyBuilder), a variant of the TrickBot group’s AnchorDNS implant that makes use of SMTP for command-and-control.

Subsequent phishing campaigns distributing IcedID and Cobalt Strike have been directed towards Ukrainian organizations, repeatedly placing the hospitality sector, a few of which impersonated the Nationwide Cyber Police of Ukraine or representatives of Elon Musk and StarLink.

Round mid-Might, UAC-0098 can be stated to have leveraged a compromised account of a resort in India to ship malware-laced attachments to organizations working within the hospitality trade in Ukraine, earlier than increasing to humanitarian NGOs in Italy.

CyberSecurity

Related assaults have additionally been noticed towards entities within the expertise, retail and authorities sectors, with the IcedID binary hid as a Microsoft replace to set off the an infection. Submit-exploitation steps carried out following a profitable compromise haven’t been recognized.

UAC-0098 is way from the one Conti-affiliated hacking group to set its sights on Ukraine because the onset of the struggle. In July 2022, IBM Safety X-Pressure disclosed that the TrickBot gang orchestrated six totally different campaigns to systematically goal the nation with a plethora of malware.

“UAC-0098 actions are consultant examples of blurring strains between financially motivated and authorities backed teams in Japanese Europe, illustrating a development of risk actors altering their focusing on to align with regional geopolitical pursuits,” Bureau stated.

“The group demonstrates robust curiosity in breaching companies working within the hospitality trade of Ukraine, going so far as launching a number of distinct campaigns towards the identical resort chains.”



About the author

admin

Leave a Comment