Don’t scratch a mosquito bite! Cuba ransomware deploys new malware

In December 2022, Kaspersky detected a suspicious incident on a client's system, uncovering three dubious files. These files triggered a sequence of actions that lead to loading the komar65 library, also known as BUGHATCH.

BUGHATCH is a sophisticated backdoor that deploys in process memory. It executes an embedded block of shellcode within the memory space allocated to it using the Windows API, which includes various functions. Subsequently, it connects to a Command and Control (C2) server, awaiting further instructions. It can receive commands to download software like Cobalt Strike Beacon and Metasploit. The use of Veeamp in the attack strongly suggests Cuba's involvement.

Notably, the PDB file references the "komar" folder, a Russian word for "mosquito", indicating the potential presence of Russian-speaking members within the group. Further analysis by Kaspersky unveiled additional modules distributed by the Cuba group, enhancing the malware's functionality. One such module is responsible for collecting system information, which is then sent to a server via HTTP POST requests.

Continuing their investigation, Kaspersky uncovered new malware samples attributed to the Cuba group on VirusTotal. Some of these samples had managed to evade detection by other security vendors. These samples represent fresh iterations of the BURNTCIGAR malware, employing encrypted data to evade antivirus detection.

“Our latest findings underscore the importance of access to the latest reports and threat intelligence. As ransomware gangs like Cuba evolve and refine their tactics, staying ahead of the curve is crucial to effectively mitigate potential attacks. With the ever-changing landscape of cyber threats, knowledge is the ultimate defense against emerging cybercriminals,” says Gleb Ivanov, a cybersecurity expert at Kaspersky.

Cuba is a single-file ransomware strain, challenging to detect due to its operation without additional libraries. This Russian-speaking group is known for its extensive reach and targets industries such as retail, finance, logistics, government, and manufacturing across North America, Europe, Oceania, and Asia. They employ a mix of public and proprietary tools, regularly updating their toolkit and using tactics like BYOVD (Bring Your Own Vulnerable Driver).

A hallmark of their operation is altering compilation timestamps to mislead investigators. For instance, some samples found in 2020 were had a compilation date of June 4, 2020, while the timestamps on newer versions were displayed as originating from June 19, 1992.Their unique approach involves not just encrypting data but also tailoring attacks to extract sensitive information, such as financial documents, bank records, company accounts, and source code. Software development firms are notably at risk. Despite being in the spotlight for some time, this group remains dynamic, constantly refining their techniques.

Read the full report on Securelist.com

Kaspersky encourages organizations to follow these best practices that help safeguard your organization against ransomware:

·       Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.

·       Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.

·       Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions.

·       Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.

·       Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for over 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.