The former Conti ransomware gang members has now joined an another malicious collective tracked as UAC-0098 and are attacking the Ukrainian organizations and European non-governmental organizations (NGOs) widely.
Accordingly, the Threat Analysis Group (TAG), found this threat group in April after detecting a fraud campaign which pushed the Conti-linked AnchorMail backdoor. In an earlier attack of UAC-0098, the researchers came across with ‘lackeyBuilder’ for the first time. This is an earlier undisclosed builder for AnchorMail, which is one of the private backdoors utilized by the Conti groups. After that, the threat actor used tools and services constantly for doing cybercrime.
Consequently, this collective’s attacks were observed between the mid-April to mid-June. They frequently changed their tactics, techniques and procedures everytime they target a particular organization. Eventually, in subsequent campaigns, UAC-0098 was also seen injecting IcedID and Cobalt Strike malicious payloads in cyberattacks which has targeted several Ukrainian organizations and European NGOs.
