In recent research, one cybersecurity company has exposed the alarming activities of the infamous ransomware syndicate known as Cuba. This cybercriminal faction, notorious for its audacity, has unleashed an insidious malware strain that has managed to evade detection, wreaking havoc on organizations across the globe and compromising entities from various industry sectors.
The unfolding of this cyber saga began in December 2022 when a cybersecurity company stumbled upon a dubious incident on one of its client’s systems. This seemingly innocuous event led to the discovery of three enigmatic files, setting in motion a series of events that ultimately resulted in the activation of the formidable Komar65 library, also referred to as BUGHATCH.
BUGHATCH is a highly sophisticated backdoor malware that operates discreetly within the process memory. Once triggered, it connects surreptitiously to a Command-and-Control (C2) server, waiting to receive malicious instructions. This nefarious software possesses the capability to download additional dangerous payloads like Cobalt Strike Beacon and Metasploit, implicating Cuba in these malicious activities. Furthermore, the use of vulnerabilities in the widely used Veeamp backup software strongly suggests the involvement of the Cuba group.
A notable revelation from the cybersecurity company’s investigation was the presence of Russian-speaking members within the Cuba group, indicated by references to the “Komar” folder, which translates to “mosquito” in Russian. This finding suggests a potentially diverse and international composition within the group. The Cuba group has augmented the malware’s capabilities with supplementary modules, including one designed to collect and transmit sensitive system information to a server via HTTP POST requests.
Adding to the intrigue, the cybersecurity company unearthed new malware samples linked to Cuba on VirusTotal, some of which had skillfully evaded detection by other security vendors. These samples represent upgraded iterations of the BURNTCIGAR malware, cleverly incorporating encrypted data to thwart antivirus software.
Cuba’s ransomware strain is unique, operating as a single-file entity without the need for additional libraries, making it an exceptionally elusive threat. This group, predominantly Russian speaking, has a wide-reaching global presence, targeting industries across North America, Europe, Oceania, and Asia. They employ a dual strategy of utilizing both publicly available and proprietary hacking tools. What sets them apart is their consistent adaptation and enhancement of their arsenal, including tactics like BYOVD (Bring Your Own Vulnerable Driver). They also manipulate compilation timestamps to confuse investigators.
Despite being under the relentless scrutiny of the cybersecurity community, the Cuba group continues to evolve and perfect their techniques, including sophisticated data encryption methods and tailored attacks aimed at extracting highly sensitive information.
In their report, the cybersecurity company underscores the critical importance of staying informed and proactive in the face of evolving cyber threats. They encourage organizations to adhere to best practices for safeguarding against ransomware attacks.
One cybersecurity professional at the cybersecurity company emphasizes, “Our latest findings underscore the importance of access to the latest reports and threat intelligence. As ransomware gangs like Cuba evolve and refine their tactics, staying ahead of the curve is crucial to effectively mitigate potential attacks. With the ever-changing landscape of cyber threats, knowledge is the ultimate defense against emerging cybercriminals.”
The Cuba ransomware group’s latest malware represents a formidable and stealthy threat to organizations worldwide. Its ability to adapt, innovate, and evade detection makes it a persistent menace that demands vigilance and robust cybersecurity measures to counter effectively. The cybersecurity community must remain proactive and agile to stay ahead of these ever-evolving cybercriminals. SpearTip compares technology and internal personnel to discover blind spots in companies that can lead to significant compromises. Our engineers go beyond simple compliance frameworks and examine the day-to-day function of cyber within companies. This leads to critical recommendations by exposing vulnerabilities not only in software but also in their people and processes. Identifying technical vulnerabilities inside and outside of companies provides a deeper context to potential gaps in the environments. SpearTip offers two types of tabletop exercises: Executive and Technical. Executive tabletop exercises are custom-designed to strengthen the collaboration among business leaders and promote a common understanding of how leadership teams respond to an incident. Technical tabletop exercises are designed to review current IR policies and procedures by engaging with companies’ teams in specific scenarios that test their analytical and remediation capabilities in the event of an incident.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.