Former members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022.
The findings, which come from Google’s Threat Analysis Group (TAG), builds upon a prior report published in July 2022 detailing the continued cyber activity aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war.
UAC-0098 is believed to have functioned as an initial access broker for ransomware groups such as Quantum and Conti (aka FIN12, Gold Ulrick, or Wizard Spider), the former of which was subsumed by the latter in April 2022.
One of the prominent campaigns undertaken by the group in June 2022 entailed the abuse of Follina vulnerability (CVE-2022-30190) in the Windows operating system to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities.
But this appears to be a part of a series of attacks that commenced way back in late April 2022, when the group conducted an email phishing campaign to deliver AnchorMail (aka LackeyBuilder), a variant of the TrickBot group’s AnchorDNS implant that uses SMTP for command-and-control.
