Cuba Ransomware Gang Continues to Evolve With Dangerous Backdoor

Credit by Pixabay

VTA-004466 – Cuba Ransomware Gang Continues to Evolve With Dangerous Backdoor

An ongoing investigation by Kaspersky has discovered a brand new malware sample related to a ransomware group known as Cuba, which includes a new and updated version of the already existing malware “BurntCigar”. The attack chain loaded a library known as “komar65”, which is also known as BugHatch. It is a custom downloader that is a sophisticated backdoor that deploys within the process memory. It will execute an embedded block of shellcode within the memory space allocated to it using the Windows API. After that, it will connect to the command and control server and wait for instructions from software such as Cobalt Strike Beacon and Metasploit. Cuba’s involvement was spotted due to the use of Veeamp during the attack.
Besides that, the word russian word, “komar” translates to the word “Mosquito” which further solidifies Cuba’s involvement. Cuba has also used a double extortion model in order to pressure its victims to pay the ransom. They do this by utilizing a hybrid key, which prevents decryption without the necessary key. The ransomware gets its initial access through phishing.

Cuba has previously targeted different industries across all regions of the world, but most of it’s targets resides within US.


Attack Surfaces:

Command and Control, Credential Access, Defense Evasion, Discovery, Execution, Exfiltration, Impact, Initial Access, Lateral Movement

T1190 – Exploit Public-Facing Application
T1566 – Phishing
T0807 – Command-Line Interface
T1059 – Command and scripting interpreter
T1480 – Execution Guardrails
T1630 – Indicator Removal on Host
T1629 – Impair Defenses
T1003 – OS Credential Dumping
T1135 – Network Share Discovery
T1437 – Application Layer Protocol
T0867 – Lateral Tool Transfer
T1041 – Exfiltration Over C2 Channel
T0881 – Service Stop
T1471 – Data Encrypted for Impact

Technical Impact Analysis:
Loss of Confidentiality, Loss of Integrity

Business Impact Analysis:
Financial Damage, Privacy Violation, Reputation Damage


SuperPRO’s Threat Countermeasures Procedures: 
1. Recommended to install reputable antivirus software to enhance system security and safeguard against potential breaches resulting from the download of malicious files.
2. Ensure both hardware and software are regularly updated with the latest security patches and updates.
3. Employ strong security measures such as firewalls, intrusion detection systems, and antivirus software to detect and prevent unauthorized access and malware infections.
4. Divide your network into smaller, isolated segments, each with its own set of security controls. This helps to contain the impact of a potential breach and limits an attacker’s ability to move laterally.
5. Provide cybersecurity awareness training to employees to educate them about the risks of phishing attacks and social engineering techniques.
6. Enforce strong access controls, including multi-factor authentication and strong passwords, to prevent unauthorized access to systems and resources.
7. Regularly perform penetration testing to identify any vulnerabilities or weaknesses in your network.
8. Deploy security tools such as SIEM (Security Information and Event Management) to detect and analyze network traffic.

Contributed by: Sherman