Cuba ransomware now targeting critical infrastructure

Threat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques, and procedures (TTPs), including a new remote access Trojan called ROMCOM RAT on compromised systems.

The new findings come from Palo Alto Networks’ Unit 42 threat intelligence team, which is tracking the double-extortion ransomware group under the moniker Tropical Scorpius.

Cuba ransomware (also known as COLDDRAW), which was first detected in December 2019, re-emerged in the threat landscape in November 2021 and has been attributed to attacks against 60 entities in five critical infrastructure sectors, amassing at least $43.9 million in ransom payments.

Of the 60 victims listed on their data leak site, 40 are located in the US, indicating a not-so-global distribution of target organizations as other ransomware gangs.

“Cuba ransomware is distributed via Hancitor malware, a loader known to drop or execute thieves, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,”according to a December 2021 alert from the US Federal Bureau of Investigation (FBI).

“Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network”.

In the intervening months, the ransomware operation received an update with the goal of “optimizing its execution, minimizing unwanted system behavior, and providing technical support to ransomware victims if they decide to trade,” according to Trend Micro.

The main changes included ending more processes before encryption (namely Microsoft Outlook, Exchange, and MySQL), expanding the types of files to be excluded, and revising its ransom note to offer assistance to victims via quTox.

Tropical Scorpius is also believed to share connections with a data extortion market called Industrial Spy.

The latest updates observed by Unit 42 in May 2022 have to do with defense evasion tactics employed prior to the ransomware deployment to remain undetected and move laterally through the compromised IT environment.

“Tropical Scorpius took advantage of a dropper that writes a kernel driver to the file system called ApcHelper.sys,” the company noted. “This targets and terminates security products. This dropper was not signed, however the kernel driver was signed with the certificate found in the LAPSUS$ NVIDIA”.

The main task of the kernel driver is to terminate processes associated with security products to evade detection. Also incorporated into the attack chain is a local privilege escalation tool downloaded from a remote server to gain System.

This, in turn, is achieved by triggering an exploit for CVE-2022-24521 (CVSS score: 7.8), a flaw in the Windows Common Log File System (CLFS) that Microsoft fixed as a Zero-Day flaw in April2022.

The privilege escalation step is followed by performing lateral movement and system reconnaissance activities through tools such as ADFind and NetScan, while also using a ZeroLogon utility that exploits CVE-2020-1472 to obtain domain administrator rights.

Furthermore, the intrusion paves the way for the implementation of a new backdoor called ROMCOM RAT, which is equipped to launch a reverse shell, delete arbitrary files, upload data to a remote server, and compile a list of running processes.

The remote access Trojan is said to be under active development, as the cybersecurity firm discovered a second sample uploaded to the VirusTotal database on June 20, 2022. The enhanced variant comes with support for an expanded set of 22 commands, with the ability to download custom programs to take screenshots, as well as extract a list of all installed applications to send them to the remote server.

The findings come as emerging ransomware groups such as Stormous, Vice Society, Luna, SolidBit, and BlueSky continue to proliferate and evolve in the cybercrime ecosystem, while also using advanced encryption techniques and delivery mechanisms.

.“Ransomware authors are adopting modern advanced techniques, such as encoding and encryption of malicious samples, or using multi-stage delivery and upload of ransomware, to evade security defenses,”42 noted.UnitBlueSky ransomware is capable of encrypting files on victim hosts at fast speeds with multi-threaded computation.Furthermore, the ransomware adopts obfuscation techniques, such as API hashing, to slow down the reverse engineering process for the analyst.