[MART] - Daily Diary #591 - Former Conti Ransomware Members Join Initial Access Broker Group

ctas-mat at appgate.com ctas-mat at appgate.com
Thu Sep 8 20:50:20 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/08/2022 - Diary entry #591:

Recently, five different campaigns conducted from April to August 2022 revealed that former members of the Conti syndicate joined an Initial Access Broker group.

Tracked as UAC-0098, the group acted as an initial access broker for ransomware groups such as Quantum and Conti by delivering threats using IcedID. Conti Syndicate, the Russian group responsible for the Conti Ransomware was one of the most dangerous ransomware families that operated using the double-extortion model. Conti was mentioned in many of our Daily Diaries until it shut down its operation in May this year.

Now, UAC-0098 along with former Conti members, shifted their operations to target the Ukrainian government and organizations, as well as European humanitarian and non-profit organizations. UAC-0098 was observed launching campaigns delivering IcedID variants, Cobalt Strike, and AnchorMail, a backdoor (developed by the Conti group) that uses the SMTP protocol as command and control (C2). In one of the campaigns, they exploited Follina (CVE-2022-30190), a critical RCE vulnerability triggered by MS Office files.

In February this year, our team covered on Daily Diary #461 that Conti Ransomware posted an announcement on their page, announcing "a full support of Russian government" during the ongoing conflicts in Ukraine-Russia. This reagroupment of some of Conti members shows that threat actors are moving from financial-only to political interests and it also reinforces the overlapping between their operations when Conti was still active.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team


E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220908/86fbe866/attachment.htm>

More information about the MART mailing list