Cuba Ransomware Detection: Tropical Scorpius Threat Actors Deploy Novel RAT Malware in Targeted Attacks

Cuba Ransomware Resurfaces

High-profile ransomware attacks illustrate a growing trend in the cyber threat arena in 2021-2022, with the majority of ransomware affiliates engaged in various ransomware-as-a-service (RaaS) programs. In May 2022, cybersecurity researchers noticed novel adversary campaigns deploying Cuba ransomware attributed to the malicious activity of a hacking group tracked as Tropical Scorpius. In these latest attacks, threat actors apply new TTPs and enhance their adversary toolkit with the use of new malware dubbed ROMCOM RAT and novel malicious tools — a Kerberos tool known as KerberCache and a sophisticated local privilege escalation tool.

Detect Cuba Ransomware

Since the ransomware landscape is enriched with more sophisticated TTPs, cybersecurity practitioners are striving to be one step ahead of attackers to combat the escalating threats. SOC Prime’s Detection as Code platform curates a set of newly released Sigma rules to help cyber defenders proactively defend against actively evolving Cuba ransomware attacks launched by the Tropical Scorpius hackers. All detections can be used across industry-leading SIEM, EDR, and XDR solutions and are aligned with the MITRE ATT&CK® framework

Follow the links below to instantly gain access to the dedicated Sigma rules right from SOC Prime’s Cyber Threats Search Engine and explore relevant contextual information. These detection algorithms are crafted by our prolific Threat Bounty Program developers, including Nattatorn Chuensangarun, Onur Atali, and Aung Kyaw Min Naing (N0lan). By joining SOC Prime’s Threat Bounty Program, Detection Engineers and Threat Hunters gain an opportunity to monetize their professional skills and receive recognition from industry experts through authoring high-quality detection content.  

Possible Cuba Ransomware Defense Evasion by Configuring Kernel Driver to File System (via process_creation)

This curated hunting query developed by Nattatorn Chuensangarun detects the suspicious Cuba ransomware activity leveraging a loader that writes a kernel driver to the file system named “ApcHelper.sys”. The detection addresses the Execution and Impact ATT&CK tactics with the corresponding Command and Scripting Interpreter (T1059)  and Service Stop (T1489) techniques. 

Possible Cuba Ransomware Execution by Detection of Associated Commands (via process_creation)

This threat hunting query crafted by Onur Atali identifies Cuba ransomware execution by the detection of associated commands and searches for the malicious DLL file used by the malware to transfer files to the C2 server. The Sigma rule addresses the following adversary tactics:

  • Execution — with its corresponding ATT&CK techniques, including Command and Scripting Interpreter (T1059) and User Execution (T1204)
  • Impact  — with Data Encrypted for Impact (T1486) and Disk Wipe (T1561) used as its primary techniques

Possible detection of cuba-ransomware-tropical-scorpius

This threat hunting Sigma-based rule detects the adversary activity of the Tropical Scorpius group, including the use of remote access Trojan C2 service execution path. The detection above addresses the Persistence and Execution tactics with the appropriate Create or Modify System Process (T1543) and System Services (T1569) techniques.

To confront current and emerging Cuba ransomware attacks, click the Detect & Hunt button below and reach the entire collection of dedicated Sigma rules. For streamlined threat investigation, non-registered SOC Prime users can also hit the Explore Threat Context button below and get to the list of context-enriched detection algorithms for Cuba ransomware detection accompanied by MITRE ATT&CK and CTI references and more relevant metadata.

Detect & Hunt Explore Threat Context

Cuba Ransomware Description

Based on the latest research by Unit 42 threat intelligence team, the Cuba ransomware family came on the scene at the end of 2019. Cuba ransomware (also known as COLDDRAW) was initially spread via Hancitor malware, which was commonly dropped via malicious attachments onto the impacted systems. Cuba ransomware maintainers under the moniker Tropical Scorpius, also identified as UNC2596, have been tracked exploiting vulnerabilities in Microsoft Exchange Server, including ProxyShell and ProxyLogon. In 2021, Cuba ransomware maintainers resurfaced, deploying SystemBC backdoor in their malicious campaigns, along with other notorious RaaS collectives, including DarkSide and Ryuk. 

Over the course of the group’s malicious campaigns tracing back to 2019, the Tropical Scorpius hackers have been evolving their TTPs to morph into a more severe threat in 2022. Cybersecurity researchers have uncovered that the above-referenced threat actors take advantage of sophisticated anti-analysis tools and techniques, including the use of a kernel driver loader targeting security products. In addition, the latest Cuba ransomware attacks involve the use of a local privilege escalation tool downloaded from a remote server by means of PowerShell code aimed to steal the System token. To achieve this, attackers exploit the Windows Common Log File System (CLFS) logic vulnerability tracked as CVE-2022-24521

Developers of Cuba ransomware also leverage multiple tools for system reconnaissance activities dropping them on compromised systems with shortened names to evade detection. Apart from using the popular hacktools for credential dumping like Mimikatz, the Tropical Scorpius threat actors also apply a new custom Kerberos tool tracked as KerberCache, and take advantage of a notorious ZeroLogon utility to exploit the CVE-2020-1472 security flaw and gain Domain Administrator rights. 

The adversary toolkit illustrating the latest Cuba ransomware operations is also enriched with a custom remote access Trojan (RAT) dubbed ROMCOM RAT, which contains a unique C2 protocol.

The rising trend in more advanced Cuba ransomware attacks throughout 2022 highlights the need for implementing proactive detection strategies to stay ahead of attackers. By joining SOC Prime’s Detection as Code platform, cyber defenders can boost threat detection capabilities and accelerate threat hunting velocity in a faster and more efficient way. Cybersecurity enthusiasts can also engage in the Threat Bounty Program to hone their Detection Engineering skills by authoring Sigma and YARA rules, sharing them with the industry peers, and earning financial benefits for their contributions.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts