Researchers from Unit42 has revealed that hackers are employing previously unseen TTP’s of the Cuba ransomware, including a novel RAT and a new local privilege escalation tool dubbed as Tropical Scorpius.
Its arsenal includes a new malware family that weaponize local privilege escalation exploit to SYSTEM, a Kerberos tool tracked as KerberCache, kernel driver for targeting security products, and identifying the use of the ZeroLogon hacktool.
The Tropical Scorpius uses double extortion alongside a leak site that exposes organizations that have been compromised.
Till last month, Tropical Scorpius has used Cuba Ransomware to impact 27 organizations across multiple sectors. A total of 60 organizations were exposed by this ransomware gang on its leak site since the group first surfaced in 2019 and ransomed atleast US$43.9.
The cryptographic algorithms are still taken from WolfSSL’s open source repository, specifically ChaCha for file encryption and RSA for key encryption which indicates the core primary payload remains the same.
Each encrypted file is prepended with an initial 1024-byte header, containing the magic value ‘FIDEL[dot]CA, likely about Fidel Castro and following the Cuba theme and followed by an RSA-4096 encrypted block containing the file-specific ChaCha key and nonce. Finally, the extension [dot]cuba is appended to the filename after successfully encrypting a file.
Tropical Scorpius threat actor leveraged tools like ADFind and Net Scan were downloaded from the web hosting platform tmpfiles[dot]org by using PowerShell’s Invoke-WebRequest. Both tools were dropped onto the same system with shortened names to obscure their purpose.
Tropical Scorpius remains an active threat, as the group’s activity makes it clear that an approach is using a hybrid tools focusing on low-level Windows internals. The move helps with defense evasion, and local privilege escalation can be highly effective during an intrusion.
It recommended that defenders should deploy advanced logging capabilities and appropriately configured, such as Sysmon, Windows Command Line logging, and PowerShell logging forwarding to SIEM to create queries and detection opportunities. Regular patching should be in place.
Indicators of Compromise
Privilege Escalation Tool: