A member of the Cuba ransomware operation is using previously unknown tactics, methods, and procedures (TTPs), such as a novel RAT (remote access trojan) and a novel local privilege escalation tool.
Researchers at Palo Alto Networks Unit 42 dubbed the threat actor 'Tropical Scorpius,' and he is most certainly an associate of the Cuba ransomware operation.
In Q1 2022, Cuba ransomware received a slight version, including a modified encryptor with more nuanced choices and the addition of quTox for live victim help.
Tropical Scorpius, on the other hand, represents a change in tactics, perhaps making the Cuba operation more risky and obtrusive.
Tropical Scorpius employs the standard Cuba ransomware payload, which has remained essentially unchanged from the operation's inception in 2019.
Since June 2022, one of the new ways has been leveraging a legal but invalidated NVIDIA certificate stolen and released by LAPSUS to certify a kernel driver dropped during the early stages of an infection.
The driver's job is to find and stop processes associated with security products in order to assist threat actors in evading discovery in the compromised environment.
Tropical Scorpius then downloads a local privilege escalation tool that includes an attack for CVE-2022-24521, a flaw in the Windows Common Log File System Driver that was resolved as a zero-day in April 2022.
According to Unit 42, the hackers used an exploitation approach that appears to have been inspired by security researcher Sergey Kornienko's extensive write-up. Tropical Scorpius then downloads ADFind and Net Scan to accomplish lateral movement. This is also the time when the threat actor introduces a new tool capable of retrieving cached Kerberos credentials.
Another innovative approach discovered by Unit 42 researchers is the use of a ZeroLogon hack tool to get DA (domain administrator) credentials by exploiting CVE-2020-1472. Finally, Tropical Scorpius deploys "ROMCOM RAT," previously unknown malware that handles C2 connections through ICMP queries sent via Windows API calls.
ROMCOM RAT supports the following 10 commands:
- Return connected drive information
- Return file listings for a specified directory
- Start up a reverse shell under the name svchelper.exe within the %ProgramData% folder
- Upload data to C2 as ZIP file, using IShellDispatch to copy files
- Download data and write to worker.txt in the %ProgramData% folder
- Delete a specified file
- Delete a specified directory
- Spawn a process with PID Spoofing
- Only handled by ServiceMain, received from C2 server and instructs the process to sleep for 120,000 ms
- Iterate through running processes and gather process IDs
On June 20, 2022, Tropical Scorpius created a fresh version of ROMCOM and uploaded it for testing on VirusTotal, which referred to the same C2 address (hardcoded). The second version introduced ten new commands to the current ten, providing more complex execution, file upload, and process termination options for remote activities. Furthermore, the updated version allows you to get other payloads from the C2, such as a desktop snapper named "Screenshooter."
The introduction of Tropical Scorpius and its new TTPs implies that Cuba ransomware is becoming a more serious threat, even if the specific RaaS isn't the most prevalent in terms of victim count. Cuba, on the other hand, has chosen to keep a low profile and employ a gentler double-extortion strategy, thus the real number of victims is unclear.
Since June 2022, the group has published the stolen data of four victims on the Onion site's "free" area, although their "paid" offers haven't been updated in a long time. Given the time necessary for negotiation and extortion, the outcomes of the 'Tropical Scorpius' update may be seen in the second half of the year.