Some ex-members of the well-known Conti ransomware group apparently have joined ranks of a hacker group security researchers track as UAC-0098 and are now adapting their tools with the purpose of attacking Ukrainian entities and hospitality industry and European humanitarian and non-profit organizations, according to a new report from Google’s Threat Analysis Group (TAG).

In May 2022, Conti officially shut down its operation, however, security researchers warned at the time that the gang didn't vanish, but simply split into smaller, more novel brands.

UAC-0098 is an initial access broker that provided various ransomware groups, including Quantum and Conti, with access to victims’ networks via the IcedID banking trojan. But more recently, the group has switched to attacks against Ukraine. Previously, the Computer Emergency Response Team of Ukraine detected a cyberattack on Ukraine’s critical infrastructure, which it attributed to UAC-0098.

TAG said they started tracking UAC-0098 after they discovered a phishing campaign in April that leveraged a backdoor access tool called AnchorMail (referred to as LackeyBuilder) developed by Conti. The tool previously was installed as a TrickBot module, TAG said.

“In the initial encounter with UAC-0098, “lackeyBuilder” was observed for the first time. This is a previously undisclosed builder for AnchorMail, one of the private backdoors used by the Conti groups. Since then, the actor consistently used tools and services traditionally employed by cybercrime actors for the purpose of acquiring initial access: IcedID trojan, EtterSilent malicious document builder, and the “Stolen Image Evidence” social engineering malware distribution service,” the report reads.

“UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.”

Between April and August 2022, the team observed five different phishing campaigns. Some of the campaigns impersonated the National Cyber Police of Ukraine, the State Tax Service of Ukraine, or representatives of Elon Musk, StarLink and Microsoft to deliver the IcedID trojan on victims’ machines.

Google has also observed the threat actor exploiting the Microsoft MSDT vulnerability (CVE-2022-30190, aka Follina) to deliver malicious payloads. Previously CERT-UA reported about a similar campaign exploiting the Follina bug to push Cobalt Strike Beacon malware.