Danger actors related with the Cuba ransomware have been connected to beforehand undocumented methods, methods and processes (TTPs), together with a new remote accessibility trojan called ROMCOM RAT on compromised units.
The new results come from Palo Alto Networks’ Unit 42 menace intelligence group, which is monitoring the double extortion ransomware group below the constellation-themed moniker Tropical Scorpius.
Cuba ransomware (aka COLDDRAW), which was to start with detected in December 2019, reemerged on the menace landscape in November 2021 and has been attributed to attacks towards 60 entities in five critical infrastructure sectors, amassing at the very least $43.9 million in ransom payments.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Of the 60 victims listed on its information leak web site, 40 are positioned in the U.S., indicating a not as world distribution of targeted corporations as other ransomware gangs.
“Cuba ransomware is dispersed by way of Hancitor malware, a loader recognized for dropping or executing stealers, these types of as Remote Entry Trojans (RATs) and other styles of ransomware, on to victims’ networks,” in accordance to a December 2021 warn from the U.S. Federal Bureau of Investigation (FBI).
“Hancitor malware actors use phishing e-mail, Microsoft Exchange vulnerabilities, compromised qualifications, or reputable Remote Desktop Protocol (RDP) resources to attain original obtain to a victim’s network.”
In the intervening months, the ransomware operation has been given an up grade with an intention to “optimize its execution, minimize unintended procedure behavior, and deliver complex help to the ransomware victims if they choose to negotiate,” for every Trend Micro.
Chief between the adjustments encompassed terminating more procedures right before encryption (viz Microsoft Outlook, Exchange, and MySQL), increasing the file forms to be excluded, and revision to its ransom observe to provide target aid through quTox.
Tropical Scorpius is also considered to share connections with a info extortion market named Industrial Spy, as reported by Bleeping Laptop or computer in Could 2022, with the exfiltrated knowledge adhering to a Cuba ransomware attack posted for sale on the illicit portal instead of its personal info leak web-site.
The newest updates observed by Device 42 in Could 2022 has to do with the defense evasion ways employed prior to the deployment of the ransomware to fly under the radar and move laterally across the compromised IT setting.
“Tropical Scorpius leveraged a dropper that writes a kernel driver to the file process referred to as ApcHelper.sys,” the enterprise pointed out. “This targets and terminates security products. The dropper was not signed, however, the kernel driver was signed applying the certification discovered in the LAPSUS$ NVIDIA leak.”
The main task of the kernel driver is to terminate procedures related with security goods so as to bypass detection. Also included in the attack chain is a community privilege escalation device downloaded from a distant server to attain Method permissions.
This, in change, is realized by triggering an exploit for CVE-2022-24521 (CVSS rating: 7.8), a flaw in the Windows Prevalent Log File System (CLFS) that was patched by Microsoft as a zero-day flaw in April 2022.
The privilege escalation phase is followed by carrying out program reconnaissance and lateral motion functions as a result of applications like ADFind and Net Scan, even though also working with a ZeroLogon utility that exploits CVE-2020-1472 to attain domain administrator rights.
On top of that, the intrusion paves the way for the deployment of a novel backdoor referred to as ROMCOM RAT, which is outfitted to start a reverse shell, delete arbitrary information, add details to a remote server, and harvest a list of managing procedures.
The distant access trojan, for every Device 42, is reported to be underneath active progress, as the cybersecurity company uncovered a next sample uploaded to the VirusTotal database on June 20, 2022.
The enhanced variant comes with aid for a broadened set of 22 instructions, counting the capability to obtain bespoke payloads to capture screenshots as perfectly as extract a checklist of all put in applications to ship back again to the distant server.
“Tropical Scorpius remains an active danger,” the scientists claimed. “The group’s exercise tends to make it obvious that an approach to tradecraft using a hybrid of far more nuanced instruments concentrating on lower-amount Windows internals for defense evasion and nearby privilege escalation can be extremely successful during an intrusion.
The conclusions arrive as rising ransomware groups these as Stormous, Vice Modern society, Luna, SolidBit, and BlueSky are continuing to proliferate and evolve in the cybercrime ecosystem, at the similar making use of advanced encryption procedures and supply mechanisms.
SolidBit stands out for its concentrating on of customers of popular video clip online games and social media platforms by masquerading as unique applications like a League of Legends account checker tool and applications like Social Hacker and Instagram Follower Bot, permitting the actors to solid a vast net of probable victims.
“SolidBit ransomware is compiled utilizing .NET and is truly a variant of Yashma ransomware, also recognised as Chaos,” Trend Micro famous in a generate-up final week.
“It is really attainable that SolidBit’s ransomware actors are at present operating with the primary developer of Yashma ransomware and likely modified some capabilities from the Chaos builder, afterwards rebranding it as SolidBit.”
BlueSky, for its element, is known to use multithreading to encrypt data files on the host for a lot quicker encryption, not to mention adopt anti-investigation approaches to obfuscate its physical appearance.
The ransomware payload, which kicks off with the execution of a PowerShell script retrieved from an attacker-controlled server, also disguises alone as a respectable Windows software (“javaw.exe”).
“Ransomware authors are adopting modern day sophisticated strategies this sort of as encoding and encrypting malicious samples, or employing multi-staged ransomware supply and loading, to evade security defenses,” Device 42 mentioned.
“BlueSky ransomware is capable of encrypting files on sufferer hosts at quick speeds with multithreaded computation. In addition, the ransomware adopts obfuscation procedures, this kind of as API hashing, to slow down the reverse engineering process for the analyst.”
Observed this posting appealing? Comply with THN on Facebook, Twitter and LinkedIn to browse much more exclusive content material we write-up.
Some areas of this posting are sourced from:
thehackernews.com