Researchers from Unit42 has revealed that hackers are employing previously unseen TTP’s of the Cuba ransomware, including a novel RAT and a new local privilege escalation tool dubbed as Tropical Scorpius.
Its arsenal includes a new malware family that weaponize local privilege escalation exploit to SYSTEM, a Kerberos tool tracked as KerberCache, kernel driver for targeting security products, and identifying the use of the ZeroLogon hacktool.
The Tropical Scorpius uses double extortion alongside a leak site that exposes organizations that have been compromised.
Till last month, Tropical Scorpius has used Cuba Ransomware to impact 27 organizations across multiple sectors. A total of 60 organizations were exposed by this ransomware gang on its leak site since the group first surfaced in 2019 and ransomed atleast US$43.9.
The cryptographic algorithms are still taken from WolfSSL’s open source repository, specifically ChaCha for file encryption and RSA for key encryption which indicates the core primary payload remains the same.
Each encrypted file is prepended with an initial 1024-byte header, containing the magic value ‘FIDEL[dot]CA, likely about Fidel Castro and following the Cuba theme and followed by an RSA-4096 encrypted block containing the file-specific ChaCha key and nonce. Finally, the extension [dot]cuba is appended to the filename after successfully encrypting a file.
Tropical Scorpius threat actor leveraged tools like ADFind and Net Scan were downloaded from the web hosting platform tmpfiles[dot]org by using PowerShell’s Invoke-WebRequest. Both tools were dropped onto the same system with shortened names to obscure their purpose.
Tropical Scorpius remains an active threat, as the group’s activity makes it clear that an approach is using a hybrid tools focusing on low-level Windows internals. The move helps with defense evasion, and local privilege escalation can be highly effective during an intrusion.
It recommended that defenders should deploy advanced logging capabilities and appropriately configured, such as Sysmon, Windows Command Line logging, and PowerShell logging forwarding to SIEM to create queries and detection opportunities. Regular patching should be in place.
Indicators of Compromise
Driver Dropper:
- 07905de4b4be02665e280a56678c7de67652aee318487a44055700396d37ecd0
- af6561ad848aa1ba53c62a323de230b18cfd30d8795d4af36bf1ce6c28e3fd4e
- 24e018c8614c70c940c3b5fa8783cb2f67cb13f08112430a4d10013e0a324eaa
ZeroLogon Hacktool:
- ab5a3bbad1c4298bc287d0ac8c27790d68608393822da2365556ba99d52c5dfb
- 6866e82d0f6f6d8cf5a43d02ad523f377bb0b374d644d2f536ec7ec18fdaf576
- 3febf726ffb4f4a4186571d05359d2851e52d5612c5818b2b167160d367f722c
- 3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0
- 36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24
- 1450f7c85bfec4f5ba97bcec4249ae234158a0bf9a63310e3801a00d30d9abcc
Cuba Ransomware:
- 0a3517d8d382a0a45334009f71e48114d395a22483b01f171f2c3d4a9cfdbfbf
- 0eff3e8fd31f553c45ab82cc5d88d0105626d0597afa5897e78ee5a7e34f71b3
Privilege Escalation Tool:
- a4665231bad14a2ac9f2e20a6385e1477c299d97768048cb3e9df6b45ae54eb8
KerberCache Hacktool:
- cfe7b462a8224b2fbf2b246f05973662bdabc2c4e8f4728c9a1b977fac010c15
ROMCOM RAT:
- B5978cf7d0c275d09bedf09f07667e139ad7fed8f9e47742e08c914c5cf44a53
- 324ccd4bf70a66cc14b1c3746162b908a688b2b124ad9db029e5bd42197cfe99
- 3496e4861db584cc3239777e137f4022408fb6a7c63152c57e019cf610c8276e
Infrastructure:
- CombinedResidency[.]org
- optasko[.]com
