The Cuba Ransomware group Tropical Scorpius is analyzed in relation to its Cuba variant, including attack simulations added by Picus Threat Library. The report maps out a wide set of TTPs from initial access to impact, and notes connections to the Industrial Spy data-extortion marketplace. #CubaRansomware #TropicalScorpius #Hancitor #IndustrialSpy #RomComRAT
Keypoints
- The Cuba ransomware group, identified as Tropical Scorpius, uses multiple TTPs and evolving tooling since 2019, targeting manufacturing, services, finance, construction, tech, and healthcare sectors.
- Initial access often involves phishing campaigns, compromised credentials, Exchange vulnerabilities (ProxyShell/ProxyLogon), and remote desktop tools.
- Execution typically deploys a loader called Hancitor as part of dropping the Cuba ransomware onto targets.
- Defense evasion includes a dropper that writes a kernel driver (ApcHelper.sys), deletes its path, and creates a new service; the dropper uses an RSA-SHA1-signed driver from leaked Lapsus$ material.
- Privilege escalation leverages CVE-2022-24521 in CLFS and stolen system tokens, using PowerShell and web requests to download malicious binaries.
- Credential access and lateral movement involve Kerberos ticket theft (Kerberosting, KerberCache), GetUserSPNs.ps1, and domain-privilege tools including ZeroLogon (CVE-2020-1472) for domain admin rights.
MITRE Techniques
- [T1566] Phishing – The Cuba actors employ phishing campaigns to gain initial access: “phishing campaigns (ATT&CK T1566)”.
- [T1078] Valid Accounts – They use compromised valid account credentials: “compromised valid account credentials (ATT&CK T1078)”.
- [T1133] External Remote Services – Exploitation of Exchange vulnerabilities (ProxyShell/ProxyLogon): “ProxyShell and ProxyLogon (ATT&CK T1133)”.
- [T1072] Software Deployment Tools – A malware loader (Hancitor) is dropped onto targets: “a malware loader (ATT&CK T1072), called Hancitor”.
- [T1562.001] Impair Defenses: Disable or Modify System Tools – The dropper writes a kernel driver and deletes files to evade defenses: “write a kernel driver to the file system” and “First, the dropper deletes the file path”.
- [T1134.001] Access Token Manipulation – Privilege escalation uses stolen system tokens: “using the stolen System tokens (ATT&CK T1134.001)”.
- [T1558.003] Kerberos Tickets – GetUserSPNs.ps1 identifies service accounts and Kerberosting cracks tickets offline: “Kerberos tickets and cracked them offline using various tools via Kerberosting (ATT&CK T1558.003)”.
- [T1003.001] OS Credential Dumping: LSASS Memory – KerberCache extracts cached Kerberos tickets from LSASS memory: “from LSASS memory (ATT&CK T1003.001)”.
- [T1068] Exploitation for Privilege Escalation – ZeroLogon CVE-2020-1472 used to gain Domain Admin rights: “to gain Domain Administrative privileges (ATT&CK T1068)”.
- [T1090] Proxy – Command and control uses a HTTP/HTTPS proxy for C2 with RomCom RAT/Meterpreter: “C2 protocol” and “Meterpreter Reverse Shell HTTP/HTTPS proxy (ATT&CK T1090)”.
- [T1486] Data Encrypted for Impact – Cuba payload encrypts files with ChaCha and RSA, with a FIDEL.CA header: “ChaCha encryption algorithm … RSA” and “FIDEL.CA”.
Indicators of Compromise
- [SHA-256] sample hashes – f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c, 02a733920c7e69469164316e3e96850d55fca9f5f9d19a241fad906466ec8ae8, bff4dd37febd5465e0091d9ea68006be475c0191bd8c7a79a44fbf4b99544ef1
- [SHA-256] sample hashes – a7c207b9b83648f69d6387780b1168e2f1eabd23ae6e162dd700ae8112f8b96c, 857f28b8fe31cf5db6d45d909547b151a66532951f26cda5f3320d2d4461b583, ecefd9bb8b3783a81ab934b44eb3d84df5e58f0289f089ef6760264352cf878a
- [SHA-256] sample hashes – 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944, 08eb4366fc0722696edb03981f00778701266a2e57c40cd2e9d765bf8b0a34d0, db3b1f224aec1a7c58946d819d729d0903751d1867113aae5cca87e38c653cf4