Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cuba. Show all posts

Hacker Uses New RAT Malware in Cuba Ransomware Attacks

 

A member of the Cuba ransomware operation is using previously unknown tactics, methods, and procedures (TTPs), such as a novel RAT (remote access trojan) and a novel local privilege escalation tool. 

Researchers at Palo Alto Networks Unit 42 dubbed the threat actor 'Tropical Scorpius,' and he is most certainly an associate of the Cuba ransomware operation. In Q1 2022, Cuba ransomware received a slight version, including a modified encryptor with more nuanced choices and the addition of quTox for live victim help. 

Tropical Scorpius, on the other hand, represents a change in tactics, perhaps making the Cuba operation more risky and obtrusive. Tropical Scorpius employs the standard Cuba ransomware payload, which has remained essentially unchanged from the operation's inception in 2019. 

Since June 2022, one of the new ways has been leveraging a legal but invalidated NVIDIA certificate stolen and released by LAPSUS to certify a kernel driver dropped during the early stages of an infection. The driver's job is to find and stop processes associated with security products in order to assist threat actors in evading discovery in the compromised environment. 

Tropical Scorpius then downloads a local privilege escalation tool that includes an attack for CVE-2022-24521, a flaw in the Windows Common Log File System Driver that was resolved as a zero-day in April 2022.

According to Unit 42, the hackers used an exploitation approach that appears to have been inspired by security researcher Sergey Kornienko's extensive write-up. Tropical Scorpius then downloads ADFind and Net Scan to accomplish lateral movement. This is also the time when the threat actor introduces a new tool capable of retrieving cached Kerberos credentials.

Another innovative approach discovered by Unit 42 researchers is the use of a ZeroLogon hack tool to get DA (domain administrator) credentials by exploiting CVE-2020-1472. Finally, Tropical Scorpius deploys "ROMCOM RAT," previously unknown malware that handles C2 connections through ICMP queries sent via Windows API calls.

ROMCOM RAT supports the following 10 commands:
  • Return connected drive information
  • Return file listings for a specified directory
  • Start up a reverse shell under the name svchelper.exe within the %ProgramData% folder
  • Upload data to C2 as ZIP file, using IShellDispatch to copy files
  • Download data and write to worker.txt in the %ProgramData% folder
  • Delete a specified file
  • Delete a specified directory
  • Spawn a process with PID Spoofing
  • Only handled by ServiceMain, received from C2 server and instructs the process to sleep for 120,000 ms
  • Iterate through running processes and gather process IDs
On June 20, 2022, Tropical Scorpius created a fresh version of ROMCOM and uploaded it for testing on VirusTotal, which referred to the same C2 address (hardcoded). The second version introduced ten new commands to the current ten, providing more complex execution, file upload, and process termination options for remote activities. Furthermore, the updated version allows you to get other payloads from the C2, such as a desktop snapper named "Screenshooter."

The introduction of Tropical Scorpius and its new TTPs implies that Cuba ransomware is becoming a more serious threat, even if the specific RaaS isn't the most prevalent in terms of victim count. Cuba, on the other hand, has chosen to keep a low profile and employ a gentler double-extortion strategy, thus the real number of victims is unclear.

Since June 2022, the group has published the stolen data of four victims on the Onion site's "free" area, although their "paid" offers haven't been updated in a long time. Given the time necessary for negotiation and extortion, the outcomes of the 'Tropical Scorpius' update may be seen in the second half of the year.


Cuba Ransomware Hacked Microsoft Exchange Servers

 

To get early access to business networks and encrypt devices, the Cuba ransomware campaign is exploiting Microsoft Exchange vulnerabilities. The ransomware group is known as UNC2596, and the ransomware itself is known as COLDDRAW, according to cybersecurity firm Mandiant. 

Cuba is the most popular name for malware. Cuba is a ransomware campaign that began in late 2019, and while it started slowly, it gained traction in 2020 and 2021. In December 2021, the FBI issued a Cuba ransomware notice, stating that the group has infiltrated 49 critical infrastructure firms in the United States. Researchers indicate that the Cuba operation predominantly targets the United States, followed by Canada, according to a new analysis by Mandiant. Since August 2021, the Cuba ransomware gang has been using Microsoft Exchange vulnerabilities to launch web shells, RATs, and backdoors to gain a foothold on the target network. 

"Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021," explains Mandiant in a new report. 

Cobalt Strike or the NetSupport Manager remote access tool is among the backdoors planted, although the organisation also utilises their own 'Bughatch', 'Wedgecut', 'eck.exe', as well as Burntcigar' tools. 
  • Wedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell.
  • Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads in memory from a remote URL.
  • Burntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in an Avast driver, which is included with the tool for a “bring your own vulnerable driver” attack.
Finally, Termite is a memory-only dropper that downloads and loads the payloads mentioned earlier. However, this tool has been seen in campaigns by a variety of threat groups, indicating that it is not exclusively utilised by Cuba threat actors. 

Threat actors use stolen account credentials obtained with the widely available Mimikatz and Wicker tools to elevate access. They then use Wedgecut to undertake network reconnaissance before using RDP, SMB, PsExec, and Cobalt Strike to move laterally. Bughatch is then loaded by Termite, followed by Burntcigar, which disables security tools and creates the foundation for data exfiltration and file encryption. For the exfiltration process, the Cuba gang does not use cloud services, instead transfers everything to its own private infrastructure. 

Changing Operations 

Cuba ransomware teamed up with spammers behind the Hancitor malware in May 2021 to get access to corporate networks via DocuSign phishing emails. Since then, Cuba's operations have shifted to focus on vulnerabilities in public-facing services, such as the Microsoft Exchange ProxyShell and ProxyLogon flaws. Because security updates to fix the exploited vulnerabilities have been available for months, this move makes the assaults more potent but also easier to prevent. 

Once there are no more valuable targets running unpatched Microsoft Exchange servers, the Cuba operation will likely shift its focus to other vulnerabilities. This means that adopting accessible security updates as soon as they are released by software providers is critical in maintaining a strong security posture against even the most sophisticated threat actors.