Threat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called ROMCOM RAT on compromised systems.
The new findings come from Palo Alto Networks’ Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under the constellation-themed moniker Tropical Scorpius.
Cuba ransomware (aka COLDDRAW), which was first detected in December 2019, reemerged on the threat landscape in November 2021 and has been attributed to attacks against 60 entities in five critical infrastructure sectors, amassing at least $43.9 million in ransom payments.
Of the 60 victims listed on its data leak site, 40 are located in the U.S., indicating a not as global distribution of targeted organizations as other ransomware gangs.
“Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” according to a December 2021 alert from the U.S. Federal Bureau of Investigation (FBI).
“Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network.”
In the intervening months, the ransomware operation has received an upgrade with an aim to “optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate,” per Trend Micro.
Chief among the changes encompassed terminating more processes before encryption (viz Microsoft Outlook, Exchange, and MySQL), expanding the file types to be excluded, and revision to its ransom note to offer victim support via quTox.
Tropical Scorpius is also believed to share connections with a data extortion marketplace called Industrial Spy, as reported by Bleeping Computer in May 2022, with the exfiltrated data following a Cuba ransomware attack posted for sale on the illicit portal instead of its own data leak site.
The latest updates observed by Unit 42 in May 2022 has to do with the defense evasion tactics employed prior to the deployment of the ransomware to fly under the radar and move laterally across the compromised IT environment.
“Tropical Scorpius leveraged a dropper that writes a kernel driver to the file system called ApcHelper.sys,” the company noted. “This targets and terminates security products. The dropper was not signed, however, the kernel driver was signed using the certificate found in the LAPSUS$ NVIDIA leak.”
The main task of the kernel driver is to terminate processes associated with security products so as to bypass detection. Also incorporated in the attack chain is a local privilege escalation tool downloaded from a remote server to gain SYSTEM permissions.
This, in turn, is achieved by triggering an exploit for CVE-2022-24521 (CVSS score: 7.8), a flaw in the Windows Common Log File System (CLFS) that was patched by Microsoft as a zero-day flaw in April 2022.
The privilege escalation step is followed by carrying out system reconnaissance and lateral movement activities through tools like ADFind and Net Scan, while also using a ZeroLogon utility that exploits CVE-2020-1472 to gain domain administrator rights.
Furthermore, the intrusion paves the way for the deployment of a novel backdoor called ROMCOM RAT, which is equipped to start a reverse shell, delete arbitrary files, upload data to a remote server, and harvest a list of running processes.
The remote access trojan, per Unit 42, is said to be under active development, as the cybersecurity firm discovered a second sample uploaded to the VirusTotal database on June 20, 2022.
The improved variant comes with support for a broadened set of 22 commands, counting the ability to download bespoke payloads to capture screenshots as well as extract a list of all installed applications to send back to the remote server.
“Tropical Scorpius remains an active threat,” the researchers said. “The group’s activity makes it clear that an approach to tradecraft using a hybrid of more nuanced tools focusing on low-level Windows internals for defense evasion and local privilege escalation can be highly effective during an intrusion.
The findings come as emerging ransomware groups such as Stormous, Vice Society, Luna, SolidBit, and BlueSky are continuing to proliferate and evolve in the cybercrime ecosystem, at the same using advanced encryption techniques and delivery mechanisms.
SolidBit stands out for its targeting of users of popular video games and social media platforms by masquerading as different applications like a League of Legends account checker tool and tools like Social Hacker and Instagram Follower Bot, allowing the actors to cast a wide net of potential victims.
“SolidBit ransomware is compiled using .NET and is actually a variant of Yashma ransomware, also known as Chaos,” Trend Micro noted in a write-up last week.
“It’s possible that SolidBit’s ransomware actors are currently working with the original developer of Yashma ransomware and likely modified some features from the Chaos builder, later rebranding it as SolidBit.”
BlueSky, for its part, is known to utilize multithreading to encrypt files on the host for faster encryption, not to mention adopt anti-analysis techniques to obfuscate its appearance.
The ransomware payload, which kicks off with the execution of a PowerShell script retrieved from an attacker-controlled server, also disguises itself as a legitimate Windows application (“javaw.exe”).
“Ransomware authors are adopting modern advanced techniques such as encoding and encrypting malicious samples, or using multi-staged ransomware delivery and loading, to evade security defenses,” Unit 42 noted.
“BlueSky ransomware is capable of encrypting files on victim hosts at rapid speeds with multithreaded computation. In addition, the ransomware adopts obfuscation techniques, such as API hashing, to slow down the reverse engineering process for the analyst.”