CISA Alert AA22-335A: Cuba Ransomware Analysis, Simulation, TTPs & IOCs

Keep up to date with latest blog posts

On December 1, 2022, CISA and FBI released a joint Cybersecurity Advisory (CSA) on Cuba ransomware [1]. Security researchers have track downed a new variant of the Cuba ransomware as Tropical Scorpius. This Cuba ransomware group mainly targets manufacturing, professional and legal services, financial services, construction, high technology, and healthcare sectors [2].

Picus Threat Library already had attack simulations for earlier variants of Cuba ransomware. Picus Labs swiftly added attack simulations for the newer variant of Cuba ransomware to Picus Threat Library. Now, you can test your security controls against Cuba ransomware attacks with Picus.

Start your 14-day free trial: Test your security against Cuba Ransomware!

Cuba Ransomware Group

The Cuba ransomware group started to show itself in early December 2019. Since then, developers of this ransomware have changed their Tactics, Techniques, and Procedures (TTPs) and tooling practices, making them one of the most prevalent threats of 2022. 

Security researchers of Palo Alto (Unit 42) tracked the threat actors behind the Cuba ransomware as Tropical Scorpius [2]. According to CISA, Cuba ransomware is usually distributed using the Hancitor malware through malicious attachments, working as a malware downloader. Cuba ransomware holders follow a double-extortion method, possibly inspired by the Maze and REvil actors, threatening their victims by publishing their sensitive information on their leak website.

The victimology reveals that Cuba ransomware group mainly target manufacturing, professional and legal services, financial services, construction, and high technology organizations in Europe, North America, and Asia. 

Cuba Ransomware Analysis and MITRE ATT&CK TTPs

Tactic: Initial Access

The ways of Cuba actors get initial access to their targets’ system show differences such as phishing campaigns (ATT&CK T1566), compromised valid account credentials (ATT&CK T1078), exploitation of known vulnerabilities in Microsoft Exchange Server such as ProxyShell and ProxyLogon (ATT&CK T1133), and built-in remote desktop protocol (RDP) tools. 

Tactic: Execution 

Upon getting the foothold, threat actors drop the Cuba ransomware and other malicious tools onto the target system using a malware loader (ATT&CK T1072), called Hancitor (a.k.a Chanitor or Tordal).

Tactic: Defense Evasion

Before deploying the ransomware, Tropical Scorpius leverage some tools and techniques to move across the compromised network without getting caught by the security controls. According to the Palo Alto researchers, Tropical Scorpius leverages a dropper (ATT&CK T1562.001) malware to write a kernel driver to the file system, ApcHelper.sys

First, the dropper deletes the file path of ApcHelper.sys through cmd.exe.

cmd.exe /c del /f /a /q %SYSTEMROOT%\system\ApcHelper.sys

Second, it creates a new service for the kernel driver.

sc create ApcHelper binPath= %SYSTEMROOT%\system\ApcHelper.sys type=kernel

Finally, the dropper copies the kernel driver onto the file type to terminate the processes of the security products such as Sophos, ALsvc, HMPAlert, McsAgent, SAVAAdminService, SapApi, SavService, SEDService, SSPService.

cmd.exe /c copy ApcHelper.sys %SYSTEMROOT%\system\ApcHelper.sys /Y

Further analysis reveals that while the dropper did not have any digital signature, adversaries signed the kernel driver with the RSA-SHA1 signature suit using the certificate leaked by the Lapsus$ threat actor in their NVIDIA [3] attack campaign. 

Tactic: Privilege Escalation (Local)

To escalate their privileges, Tropical Scorpius used PowerShell’s Invoke-WebRequest cmdlet to send HTTPS requests to a web page, tmpfiles[.]org. Upon that request, adversaries downloaded a malicious binary exploiting the CVE-2022-24521 vulnerability (a logic bug) in the Common Log File System (CLFS). This vulnerability allowed the attackers to perform code execution on the target system and elevate their privileges by using the stolen System tokens (ATT&CK T1134.001). 

Tactic: Lateral Movement

In addition to the malicious binary I talked about, Cuba ransomware group downloaded the ADNet and Net Scan tools from tmpfiles[.]org using the same PowerShell cmdlet. Then, it runs a particular PowerShell script, GetUserSPNs.ps1, to identify which user accounts are used as service accounts. This is believed to be done to find out which user accounts are worth to be targeted for their Active Directory Kerberos ticket. Identifying these user accounts, attackers collected Kerberos tickets and cracked them offline using various tools via Kerberosting (ATT&CK T1558.003). 

In another scenario, adversaries leveraged another technique for credential theft. This time, Tropical Scorpius used a custom hacktool, which is named KerberCache by Unit 42, matching the functionality of the hacktool. This tool was used to extract the cached Kerberos tickets from a host’s Local Security Authority Server Service (LSASS) memory (ATT&CK T1003.001). Upon retrieving the cached Kerberos tickets, tickets are passed to a function to get encoded in Base64 and get written into the working directory from which the KerberCache is executed. 

Figure 2. KerberCache is extracting Kerberos information [2].

Tactic: Privilege Escalation (Remote)

Tropical Scorpius downloaded another tool called Domain Admin from tmpfiles[.]org site using the Invoke-WebRequest cmdlet. The tool was masqueraded by a fake name, Filezilla. Analysis shows that in order to avoid and/or slow down the reverse engineering process, the Domain Admin tool was packed using the Anti-VM features of Themida. If it gets executed in a virtual machine, an alert pops up saying, “Sorry, this application cannot run under a Virtual Machine.” 

Another hacktool leveraged by the Cuba holders is the ZeroLogon hacktool. Attackers used the ZeroLogon to exploit the CVE-2020-1472 vulnerability to gain Domain Administrative privileges (ATT&CK T1068). It is important to note that the ZeroLogon tool has become quite popular among other malware families. In fact, it is reported to be related to Hancitor and Qbot.  

Tactic: Command and Control

Prior to the deployment of the Cuba ransomware and encryption process, adversaries deployed a custom Remote Access Trojan (RAT)/backdoor called RomCom RAT that contains a unique C2 protocol. 

In addition, they deployed Meterpreter Reverse Shell HTTP/HTTPS proxy for network communication between the C2 server and the target host (ATT&CK T1090).

Tactic: Impact

Even though Tropical Scorpius threat actors are continuously developing and updating their TTPs and tooling, the Cuba Ransomware payload has not changed much. Payload still uses the ChaCha encryption algorithm for file encryption and the asymmetric encryption algorithm RSA for key encryption. Each encrypted file is prepended with a header containing the magic value FIDEL.CA.

Figure 3. FIDEL.CA magic value in an encrypted file’s 1024-byte header [2].

Below, you can find the terminated services and processes and the directories avoided by the Cuba ransomware on the run time.

Terminated Services and Processes

MySQL

MySQL82SQLSERVERAGENT

MSSQLSERVER

SQLBrowser

SQLWriter

SQLTELEMETRY

MSDTC

sqlagent.exe

sqlservr.exe

sqlwriter.exe

sqlceip.exe

msdtc.exe

sqlbrowser.exe

vmcompute

vmms

vmwp.exe

vmsp.exe

outlook.exe

MSExchangeUMCR

MSExchangeUM

MSExchangeTransportLogSearch

MSExchangeTransport

MSExchangeThrottling

MSExchangeSubmission

MSExchangeServiceHost

MSExchangeRPC

MSExchangeRepl

MSExchangePOP3BE

MSExchangePop3

MSExchangeNotificationsBroker

MSExchangeMailboxReplication

MSExchangeMailboxAssistants

MSExchangeIS

MSExchangeIMAP4BE

MSExchangeImap4

MSExchangeHMRecovery

MSExchangeHM

MSExchangeFrontEndTransport

MSExchangeFastSearch

MSExchangeEdgeSync

MSExchangeDiagnostics

MSExchangeDelivery

MSExchangeDagMgmt

MSExchangeCompliance

MSExchangeAntispamUpdate

Microsoft.Exchange.Store.Worker.exe

   

 

Avoided Directories

\windows\

\program files\microsoft office\

\program files (x86)\microsoft office\

\program files\avs\

\program files (x86)\avs\

\$recycle.bin\

\boot\

\recovery\

\system volume information\

\msocache\

\users\all users\

\users\default user\

\users\default\

\temp\

\inetcache\

\inetcache\

After the encryption, a ransom note gets dropped onto the target’s machine, instructing their victim how to communicate with them. 


Figure 4. A ransom note dropped by the Cuba Ransomware [1].

How is Cuba Ransomware Related to Industrial Spy Market?

In May 2022, security researchers reported that a dark web forum called Industrial Spy, famous for selling stolen data of breached organizations has announced that it is moving into a Ransomware-as-a-Service (RaaS) model [4]. Further analysis shows that the ransom note used by the Industrial Spy uses the same contact information as Cuba ransomware does. It is also observed that Cuba uses the Industrial Spy to sell the data that is exfiltrated from their victim’s systems.

For now, even though the link between the Cuba ransomware and the Industrial Spy is unclear, security researchers believe that there is more than what we see on the surface [2].

How Picus Helps Simulate Cuba Ransomware Attacks?

Picus Labs already had threats for the Cuba ransomware used in the attack campaign that happened in 2021. 

Now, the Picus Threat Library includes the latest variant of Cuba ransomware. We strongly suggest simulating Cuba ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Validation Platform. You can test your defenses against Cuba ransomware and many other ransomware families within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Cuba ransomware

Threat ID

Action Name

Attack Module

61818

Cuba Ransomware Campaign 2022

Endpoint

42769

Cuba Ransomware Email Threat 

E-mail Infiltration

48463

Cuba Ransomware Download Threat

Network Infiltration

Indicators of Compromises (IOCs)

SHA-256

   

f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c

02a733920c7e69469164316e3e96850d55fca9f5f9d19a241fad906466ec8ae8

bff4dd37febd5465e0091d9ea68006be475c0191bd8c7a79a44fbf4b99544ef1

a7c207b9b83648f69d6387780b1168e2f1eabd23ae6e162dd700ae8112f8b96c

857f28b8fe31cf5db6d45d909547b151a66532951f26cda5f3320d2d4461b583

ecefd9bb8b3783a81ab934b44eb3d84df5e58f0289f089ef6760264352cf878a

141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944

08eb4366fc0722696edb03981f00778701266a2e57c40cd2e9d765bf8b0a34d0

db3b1f224aec1a7c58946d819d729d0903751d1867113aae5cca87e38c653cf4

0cf6399db55d40bc790a399c6bbded375f5a278dc57a143e4b21ea3f402f551f

f8144fa96c036a8204c7bc285e295f9cd2d1deb0379e39ee8a8414531104dc4a

74fbf3cc44dd070bd5cb87ca2eed03e1bbeec4fec644a25621052f0a73abbe84

f5db51115fa0c910262828d0943171d640b4748e51c9a140d06ea81ae6ea1710

88d13669a994d2e04ec0a9940f07ab8aab8563eb845a9c13f2b0fec497df5b17

b160bd46b6efc6d79bfb76cf3eeacca2300050248969decba139e9e1cbeebf53

0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3

0d5e3483299242bf504bd3780487f66f2ec4f48a7b38baa6c6bc8ba16e4fb605

f869e8fbd8aa1f037ad862cf6e8bbbf797ff49556fb100f2197be4ee196a89ae

7e00bfb622072f53733074795ab581cf6d1a8b4fc269a50919dda6350209913c

af4523186fe4a5e2833bbbe14939d8c3bd352a47a2f77592d8adcb569621ce02

0c2ffed470e954d2bf22807ba52c1ffd1ecce15779c0afdf15c292e3444cf674

8a3d71c668574ad6e7406d3227ba5adc5a230dd3057edddc4d0ec5f8134d76c3

4306c5d152cdd86f3506f91633ef3ae7d8cf0dd25f3e37bec43423c4742f4c42

310afba59ab8e1bda3ef750a64bf39133e15c89e8c7cf4ac65ee463b26b136ba

3d4502066a338e19df58aa4936c37427feecce9ab8d43abff4a7367643ae39ce

f538b035c3de87f9f8294bec272c1182f90832a4e86db1e47cbb1ab26c9f3a0b

b5d202456ac2ce7d1285b9c0e2e5b7ddc03da1cbca51b5da98d9ad72e7f773b8

fd87ca28899823b37b2c239fbbd236c555bcab7768d67203f86d37ede19dd975

1817cc163482eb21308adbd43fb6be57fcb5ff11fd74b344469190bb48d8163b

1f842f84750048bb44843c277edeaa8469697e97c4dbf8dc571ec552266bec9f

61971d3cbf88d6658e5209de443e212100afc8f033057d9a4e79000f6f0f7cc4

c646199a9799b6158de419b1b7e36b46c7b7413d6c35bf ffaeaa8700b2dcc427

1b943afac4f476d523310b8e3afe7bca761b8cbaa9ea2b9f01237ca4652fc834

bd270853db17f94c2b8e4bd9fa089756a147ed45cbc44d6c2b0c78f361978906

0afed8d1b7c36008de188c20d7f0e2283251a174261547aab7fb56e31d767666

e0d89c88378dcb1b6c9ce2d2820f8d773613402998b8dcdb024858010dec72ed

571f8db67d463ae80098edc7a1a0cad59153ce6592e42d370a45df46f18a4ad8

10a5612044599128981cb41d71d7390c15e7a2a0c2848 ad751c3da1cbec510a2

1807549af1c8fdc5b04c564f4026e41790c554f339514d3 26f8b55cb7b9b4f79

01242b35b6def71e42cc985e97d618e2fabd616b16d23f7081d575364d09ca74

952b34f6370294c5a0bb122febfaa80612fef1f32eddd48a3d0556c4286b7474

9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732

3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0

 

 

References

[1] “#StopRansomware: Cuba Ransomware”. https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf. [Accessed: Dec. 08, 2022]

[2] D. Santos, “Novel News on Cuba Ransomware: Greetings From Tropical Scorpius,” Unit 42, Aug. 09, 2022.  https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/. [Accessed: Dec. 07, 2022]

[3] Unit, “Threat Brief: Lapsus$ Group,” Unit 42, Mar. 24, 2022. https://unit42.paloaltonetworks.com/lapsus-group/. [Accessed: Dec. 07, 2022]

[4] L. Abrams, “Industrial Spy data extortion market gets into the ransomware game,” BleepingComputer, May 26, 2022.  https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/. [Accessed: Dec. 07, 2022]

Subscribe

Keep up to date with latest blog posts