Menace actors related to the Cuba ransomware have been linked to beforehand undocumented techniques, strategies and procedures (TTPs), together with a brand new distant entry trojan known as ROMCOM RAT on compromised techniques.
Cuba ransomware (aka COLDDRAW), which was first detected in December 2019, reemerged on the risk panorama in November 2021 and has been attributed to assaults in opposition to 60 entities in 5 essential infrastructure sectors, amassing no less than $43.9 million in ransom funds.
Of the 60 victims listed on its information leak web site, 40 are situated within the U.S., indicating a not as world distribution of focused organizations as different ransomware gangs.
“Cuba ransomware is distributed by means of Hancitor malware, a loader identified for dropping or executing stealers, reminiscent of Distant Entry Trojans (RATs) and different forms of ransomware, onto victims’ networks,” in line with a December 2021 alert from the U.S. Federal Bureau of Investigation (FBI).
“Hancitor malware actors use phishing emails, Microsoft Change vulnerabilities, compromised credentials, or reliable Distant Desktop Protocol (RDP) instruments to achieve preliminary entry to a sufferer’s community.”
Within the intervening months, the ransomware operation obtained substantial upgrades with an purpose to “optimize its execution, decrease unintended system conduct, and supply technical help to the ransomware victims in the event that they select to barter,” famous Development Micro in June.
Chief among the many modifications encompassed terminating extra processes earlier than encryption (viz Microsoft Outlook, Change, and MySQL), increasing the file varieties to be excluded, and revision to its ransom notice to supply sufferer help through quTox.
Tropical Scorpius can also be believed to share connections with an information extortion market known as Industrial Spy, as reported by Bleeping Laptop in Could 2022, with the exfiltrated information following a Cuba ransomware assault posted on the market on the illicit portal as an alternative of its personal information leak web site.
The newest updates noticed by Unit 42 in Could 2022 has to do with the protection evasion techniques employed previous to the deployment of the ransomware to fly underneath the radar and transfer laterally throughout the compromised IT surroundings.
“Tropical Scorpius leveraged a dropper that writes a kernel driver to the file system known as ApcHelper.sys,” the corporate acknowledged. “This targets and terminates safety merchandise. The dropper was not signed, nonetheless, the kernel driver was signed utilizing the certificates discovered within the LAPSUS$ NVIDIA leak.”
The primary activity of the kernel driver is to terminate processes related to safety merchandise in order to bypass detection. Additionally integrated within the assault chain is an area privilege escalation instrument downloaded from a distant server to achieve SYSTEM permissions.
This, in flip, is achieved by triggering an exploit for CVE-2022-24521 (CVSS rating: 7.8), a flaw within the Home windows Frequent Log File System (CLFS) that was patched by Microsoft as a zero-day flaw in April 2022.
The privilege escalation step is adopted by finishing up system reconnaissance and lateral motion actions by means of instruments like ADFind and Web Scan, whereas additionally utilizing a ZeroLogon utility that exploits CVE-2020-1472 to achieve area administrator rights.
Moreover, the intrusion paves the best way for the deployment of a novel backdoor known as ROMCOM RAT, which is provided to begin a reverse shell, delete arbitrary recordsdata, add information to a distant server, and harvest a listing of working processes.
The distant entry trojan, per Unit 42, is alleged to be underneath energetic growth, because the cybersecurity agency found a second pattern uploaded to the VirusTotal database on June 20, 2022.
The improved variant comes with help for a broadened set of twenty-two instructions, counting the flexibility to obtain bespoke payloads to seize screenshots in addition to extract a listing of all put in functions to ship again to the distant server.
“Tropical Scorpius stays an energetic risk,” the researchers mentioned. “The group’s exercise makes it clear that an method to tradecraft utilizing a hybrid of extra nuanced instruments specializing in low-level Home windows internals for protection evasion and native privilege escalation may be extremely efficient throughout an intrusion.
The findings come as rising ransomware teams reminiscent of Stormous, Vice Society, Luna, SolidBit, and BlueSky are persevering with to proliferate and evolve within the cybercrime ecosystem, on the similar utilizing superior encryption strategies and supply mechanisms.
SolidBit significantly stands out for its focusing on of customers of in style video video games and social media platforms by masquerading as completely different functions like League of Legends account checker, Social Hacker, and Instagram Follower Bot, permitting the actors to solid a large internet of potential victims.
“It is doable that SolidBit’s ransomware actors are at present working with the unique developer of Yashma ransomware and sure modified some options from the Chaos builder, later rebranding it as SolidBit.”
BlueSky, for its half, is understood to make the most of multithreading to encrypt recordsdata on the host for sooner encryption, to not point out undertake anti-analysis strategies to obfuscate its look.
The ransomware payload, which kicks off with the execution of a PowerShell script retrieved from an attacker-controlled server, additionally disguises itself as a reliable Home windows software (“javaw.exe”).
“Ransomware authors are adopting trendy superior strategies reminiscent of encoding and encrypting malicious samples, or utilizing multi-staged ransomware supply and loading, to evade safety defenses,” Unit 42 famous.
“BlueSky ransomware is able to encrypting recordsdata on sufferer hosts at fast speeds with multithreaded computation. As well as, the ransomware adopts obfuscation strategies, reminiscent of API hashing, to decelerate the reverse engineering course of for the analyst.”