Kaspersky, a renowned cybersecurity firm, recently uncovered a fresh wave of activity from the notorious Cuba group, known for developing malicious ransomware software. This new strain of malware was designed to evade advanced detection techniques and targeted organizations worldwide, resulting in breaches across various sectors.
In December 2022, Kaspersky detected suspicious activity within one of its clients' systems. Three suspicious files were identified, initiating a series of actions that loaded the known komar65 library, also known as BUGHATCH, acting as an advanced backdoor activated in the process memory.
The BUGHATCH malware executes a portion of Shellcode API within its allocated memory space using the Windows API. This script encompasses multiple functions.
Subsequently, the program establishes a connection with a Command and Control (C2) server, awaiting further commands. These instructions could involve installing specialized penetration tools like Cobalt Strike Beacon and Metasploit, and employing password-stealing tool Veeamp, indicating the presence of Cuba ransomware.
The program's database file hints at a directory named "komar," a Russian word for mosquito, suggesting Russian-speaking members in the group, aligning with previous evidence pointing to the same.
Further analysis revealed Cuba's deployment of additional models to enhance the capabilities of the malicious software, including gathering system information and transmitting it to a server via HTTP POST requests.
Kaspersky continued its investigation and discovered new samples of malicious software attributed to the Cuba group on VirusTotal. Some managed to evade detection by other security service providers. These samples represent new variants of the malicious BURNTCIGAR software, utilizing encrypted data to avoid antivirus detection.
Cuba remains a resilient strain of ransomware known for its wide-reaching impact, targeting a diverse range of industries and institutions globally. The group employs a mix of both public and custom tools, regularly updating their arsenal and employing tactics like BYOVD attacks.
The group's operations are characterized by their manipulation of time stamps during the compilation of their malicious software, aiming to deceive investigators. Their objectives extend beyond data encryption to the theft of sensitive information, including financial documents, banking records, corporate accounts, and source code. They particularly focus on software development companies as a primary target. Despite the passage of time since the group's emergence, they remain adaptable, continuously evolving their tactics.
Hurricane Daniel: Libyan Army Spokesperson Describes the Catastrophe
