Researchers from Kaspersky have discovered new samples of malware associated with the ransomware group known as Cuba. These samples are new versions of BurntCigar malware, which features advanced stealth capabilities that pose a significant threat to organizations.
The investigation began when Kaspersky detected an incident on a client’s system in December. Following the attack chain, the researchers identified a library called “komar65” or BugHatch, which serves as a sophisticated backdoor deployed in process memory. This backdoor executes an embedded block of shellcode within the allocated memory space and connects to a command-and-control server to receive further instructions. It is capable of downloading software like Cobalt Strike Beacon and Metasploit. The use of Veeamp in the attack strongly suggests the involvement of Cuba.
Of particular note is the presence of a PDB file that references the “komar” folder, which is a Russian word for “mosquito.” This indicates the potential presence of Russian-speaking members within the Cuba group.
Additionally, Kaspersky uncovered additional modules distributed by the Cuba group that enhance the functionality of the malware. One such module collects system information and sends it to a server using HTTP POST requests. The researchers also discovered that BugHatch now has the ability to evade detection from security vendors by encrypting data. Furthermore, as Cuba’s second proprietary malware, BurntCigar is capable of exploiting I/O control codes and terminating kernel-level processes.
In the past, Cuba has employed a classic double extortion model to pressure victims, utilizing hybrid encryption to prevent decryption without the necessary key. However, the latest findings indicate that groups like Cuba are constantly evolving, making it increasingly challenging to stay ahead of their refined and malicious tactics. Gleb Ivanov, a SOC analyst at Kaspersky, warns that Cuba poses a serious threat to businesses, as they steal sensitive data such as source code, software, and more.
The Cuba ransomware group has targeted various industries across North America, Europe, Oceania, and Asia, demonstrating their wide reach and adaptability. While most of their targets are of US origin, they have successfully infiltrated organizations worldwide. Notably, the group manipulates compilation timestamps to deceive investigators, as older malware samples from 2020 have timestamps from that year, while newer versions display timestamps dating back to 1992.
Given the Cuba group’s ability to deceive, dynamically change tactics, and extract sensitive information like financial documents and bank records, it is crucial for vendors and organizations to remain vigilant. Kaspersky emphasizes the importance of staying ahead of evolving ransomware gangs like Cuba by regularly updating systems, closing critical vulnerabilities, and keeping up with cybersecurity trends. A strong defense team that can quickly detect and stop such threats is essential. Ivanov cautions that even with robust defense measures, the threat of ransomware can still bypass security measures.
As the cyber threat landscape continues to evolve, knowledge becomes the ultimate defense against emerging cybercriminals. Organizations must prioritize cybersecurity practices, constantly adapt their defenses, and remain informed about the latest threats and techniques employed by malicious actors.