UAC-0098 is a so-called access agent that gives extortion groups access to compromised systems. The group uses the IcedID banking trojan.

what is known

• TAG has been monitoring the UAC-0098 event since April. Then the hackers started a phishing campaign in which the AnchorMail backdoor (a modified Anchor developed by the Conti group) was distributed.
• His attacks are reportedly observed between mid-April and mid-June. Attackers often changed tactics and bait.
• Experts say that the targets are Ukrainian organizations (for example, hotel chains), and the hackers are posing as representatives of the Ukrainian National Cyber ​​Police or Elon Musk and the company StarLink.
• In subsequent campaigns targeting Ukrainian organizations and European NGOs, UAC-0098 distributed IcedID and Cobalt Strike payloads through phishing attacks.

Based on various indications, TAG believes that some members of UAC-0098 are ex-members of the Conti cybercriminal group, which has redirected its methods to attack Ukraine.
– UAC-0098 said researchers who found numerous matches between Trickbot and Conti.

According to the researchers, the activities of UAC-0098 are a clear example of how the boundaries between financially motivated and “government” attacks are blurring, and hackers can change their targets “to suit regional geopolitical interests.”