Palo Alto Networks reports that the operators of the Cuba ransomware began to use new tactics in their attacks, including the use of a previously unknown remote access trojan (remote access trojan, RAT) called ROMCOM.
In their report, the researchers talk about the Tropical Scorpius hack group, which, apparently, is a “partner” of the Cuba ransomware. Let me remind you that this ransomware has been known to security specialists since 2019. He was most active at the end of 2021, when he was linked to attacks on 60 organizations in five critical infrastructure sectors (including financial and public sector, healthcare, manufacturing and IT), as a result of which hackers received at least $ 43.9 million in the form of ransoms.
The last notable Cuba update was recorded in the first quarter of 2022, when malware operators switched to an updated version of the ransomware with finer settings and added quTox support to communicate with their victims.
As Palo Alto Networks analysts now say, the aforementioned Tropical Scorpius group uses a standard Cuba payload that hasn’t changed much since 2019. One of the few updates in 2022 involves the use of a legitimate but invalid Nvidia certificate (previously stolen from the company by Lapsus$ hackers) to sign the kernel driver, which is used in the initial stages of infection. The task of this driver is to detect processes belonging to security products and kill them to help attackers avoid detection.
Tropical Scorpius then uses a local privilege escalation tool based on an exploit for CVE-2022-24521, which was patched in April 2022. According to the researchers, this stage of the attack is clearly inspired by a detailed description of the problem from the security researcher Sergey Kornienko.
The next attack phase of Tropical Scorpius involves loading ADFind and Net Scan to perform a lateral move. Along with this evil The attackers deploy a tool on the victim’s network that helps them obtain cached Kerberos credentials. Hackers can also use the tool to exploit the notorious Zerologon vulnerability (CVE-2020-1472) to gain domain administrator privileges.
At the end of the attack, Tropical Scorpius operators finally deploy ROMCOM RAT malware on the victim network, which communicates with command and control servers via ICMP requests performed through Windows API functions.
ROMCOM RAT supports ten main commands:
- get information about the connected disk;
- get lists of files for the specified directory;
- run the reverse shell svchelper.exe in the %ProgramData% folder;
-
upload data to the management server as a ZIP file using IShellDispatch to copy files;
- download data and write to worker.txt in the %ProgramData% folder;
- delete the specified file;
- delete the specified directory;
- create a process with PID spoofing;
- process only the ServiceMain received from the control server and “sleep” for 120,000 ms;
- Traverse running processes and collect their IDs.
Experts note that Tropical Scorpius hackers compiled the latest version of ROMCOM and uploaded it to VirusTotal on June 20, 2022. This version contains ten additional commands, giving attackers more options for executing and downloading files, as well as terminating processes.
In addition, the new version supports receiving additional payloads from the C&C server, such as the Screenshooter screenshot tool.
The researchers conclude that with the advent of Tropical Scorpius, the Cuba ransomware is turning into a more serious threat, although in general this ransomware cannot boast of a large number of victims.