Cuba Ransomware: anatomy of grouping and protection methods

Transcript

1. None

2. 2 Agenda: • About Cuba Ransomware • SOC’s Investigation •

   Detection Methods • BYOVD

3. 3 Who we are Ivanov Gleb SOC Analyst, Kaspersky Kirichenko

   Alexander TI Analyst, Kaspersky https://t.me/BlureL https://www.linkedin.com/in/ivanov-gleb/ https://www.linkedin.com/in/alexander- kirichenko/ https://t.me/N01rX

4. 4 According TI reports Cuba is a targeted ransomware that

   began operations in late 2020. The threat actors was named ‘Tropical Scorpius’ have since changed their tactics and tooling to become a more prevalent threat in 2023. What is Cuba Ransomware?

5. 5 Cuba ransomware in 2023 What is Cuba Ransomware? Aliases:

   • COLDDRAW • Tropical Scorpius • Fidel • CUBA Update 2023 V is Vendetta http[:]//test[.]cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd[.]onion/

6. 6 Victimology South America Columbia Chile Europe Austria Belgium France

   Germany Italy Montenegro Poland Spain UK Asia China (Taiwan) South Korea North America Canada USA Australia Industries: Middle east Kuwait Livan UAE Energy Heath Care Financial services Transportation and Logistics Education Manufacturing State and Local Government Telecommunications Retail High Technology

7. 7 RaaS model Single extortion – Data Encryption Double extortion

   – Data Exfiltration Triple extortion - DDos Quadruple extortion - Direct communication with the company's customers and stockholders Cuba uses encryption to lock victims' files and demands a ransom payment in exchange for a decryption key. The group is known for using double-extortion tactics, where they not only encrypt files but also steal sensitive data and threaten to release it if the ransom is not paid. • Financial documents • Correspondence with bank employees • Account movements • Balance sheets Exfiltrated data types: • Tax documents • Compensation • Source code Files are encrypted using the symmetric encryption algorithm XSalsa20 (salsa20 with an increased nonce size), whose keys are encrypted using the asymmetric RSA-2048 encryption algorithm. For the implementation the LibTomCrypt library was used. Encryption:

8. 8 •Bughatch •Burntcigar •Cobeacon •Hancitor (Chanitor) •Termite •SystemBC •Veeamp •Wedgecut

   Arsenal •Mimikatz •PowerShell •PsExec •Remote Desktop Protocol Tools Malware Vulnerabilities ProxyShell: CVE-2021-31207 CVE-2021-34473 CVE-2021-34523 ProxyLogon: CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065 Veeam vulnerabilities CVE-2022-26501 CVE-2022-26504 CVE-2022-26500

9. 9 Mapped toolset : What is Cuba Ransomware? Initial Access

   Execution Persistence Defense Evasion Credential Access Discovery Lateral Movement Exfiltration Command and Control Impact ProxyLogon PowerShell SystemBC BurntCigar Mimikatz Wedgecut PsExec Cobeacon Cobeacon Cuba Ransomware ProxyShell PsExec Custom DLLs Bughatch Veeamp Bughatch RDP Bughatch Hancitor (aka Chanitor) SystemBC SystemBC SystemBC Cobeacon SystemBC Termite Gotoassist SystemBC

10. 10 Part of BTC transactions tree Extortion amount Some BTC

    wallets: • bc1q4vr25xkth35qslenqwd7aw020w85qrvlrhv7hc • bc1q5uc0fdnz0ve5pg4nl4upa9ly586t6wmnghfe7x • bc1q6rsj3cn37dngypu5kad9gdw5ykhctpwhjvun3z • bc1q6zkemtyyrre2mkk23g93zyq98ygrygvx7z2q0t • bc1q9cj0n9k2m282x0nzj6lhqjvhkkd4h95sewek83 • bc1qaselp9nhejc3safcq3vn5wautx6w33x0llk7dl • bc1qc48q628t93xwzljtvurpqhcvahvesadpwqtsza • bc1qgsuf5m9tgxuv4ylxcmx8eeqn3wmlmu7f49zkus • bc1qhpepeeh7hlz5jvrp50uhkz59lhakcfvme0w9qh • bc1qjep0vx2lap93455p7h29unruvr05cs242mrcah • bc1qr9l0gcl0nvmngap6ueyy5gqdwvm34kdmtevjyx • bc1qs3lv77udkap2enxv928x59yuact5df4t95rsqr • bc1qyd05q2m5qt3nwpd3gcqkyer0gspqx5p6evcf7h • bc1qzz7xweq8ee2j35tq6r5m687kctq9huskt50edv • bc1qvpk8ksl3my6kjezjss9p28cqj4dmpmmjx5yl3y • bc1qhtwfcysclc7pck2y3vmjtpzkaezhcm6perc99x • bc1qft3s53ur5uq5ru6sl3zyr247dpr55mnggwucd3 • bc1qp7h9fszlqxjwyfhv0upparnsgx56x7v7wfx4x7 • Over 3 600 BTC transactions • Over 100 500 000 USD (1 BTC=28 624 USD)

11. 11 Alert in IRP Memory of svchost.exe process Verdict: MEM:Trojan.Win64.Cobalt.gen

12. 12 Alert in ELK cmd.exe --> kk65.bat cmdline: cmd.exe /c

    c:\windows\temp\kk65.bat Contents of the kk65.bat file: T1218.011: System Binary Proxy Execution: Rundll32

13. 13 komar65.dll (BUGHATCH)

14. 14 komar65.dll (BUGHATCH)

15. 15 komar65.dll (BUGHATCH) T1135: Network Share Discovery User Agent: Mozilla/4.0

    T1071.001: Application Layer Protocol: Web Protocols

16. 16 We also found new malicious files from C2 servers

    in BUGHATCH: komar65.dll (BUGHATCH) IOC’s

17. 17 BUGHATCH is a backdoor, that executes arbitrary code on

    the compromised system downloaded from a C&C server. The code sent by the C&C server includes PE files and PowerShell scripts. BUGHATCH has been loaded in-memory by a dropper written in PowerShell or loaded by a PowerShell script from a remote URL. komar65.dll (BUGHATCH) Loader execution Loading BUGHATCH System discovery Waiting for operator’s commands Waiting other commands

18. 18 SRV_Service host cmd.exe --> C:\windows\temp\veeamp.exe MD5: 0x6345AC3F61B9F4CE64E82D3896BAF1FA Verdict: HEUR:Trojan.MSIL.Veeamp.gen

19. 19 Veeamp – credential dumper CVEs Exploited by Veemp: 1.

    CVE-2022-26500, CVE-2022-26501: Remote Code Execution vulnerability in Veeam Distribution Service The Veeam distribution service, which uses TCP 9380 with default settings, allows threat actors who are not authenticated to access internal API functions. This component allows threat actors to execute malicious code remotely without authentication. 2. CVE-2022-26504: Remote Code Execution vulnerability in Veeam Backup PSManager The Veeam process.Backup.PSManager.exe using TCP 8732 with default settings, allows threat actors that are not administrators to authenticate using domain credentials. This vulnerability allows domain attackers to execute malicious code remotely by attacking vulnerable components leading to gaining control of the system. Sensitive files inside backups: • NTDS.dit • SAM, SECURITY, SYSTEM • Browser profiles

20. BUGHATCH

21. 21 One novel tactic now is the usage of legit

    drivers to disable the security endpoint solutions in the compromised systems. AntiRootkit Avast driver - СVE-2022-26522 - CVE-2022-26523 T1014:Rootkit

22. 22 • aswarpot.sys is a legit vulnerable driver. Avast’s “Anti

    Rootkit” driver (also used by AVG) has been found to be vulnerable to two high severity attacks that could potentially lead to privilege escalation by running code in the kernel from a non-administrator user. • KK.exe is a malware, also known as BURNTCIGAR, that terminates targeted processes using the function DeviceIoControl to exploit the undocumented code of the Avast driver • av.bat is a batch script launcher that creates and starts a kernel service called aswSP_ArPot2 loading binary file C:\windows\temp\aswArPot.sys What are these files doing?

23. 23 What is the “Musor”? KK.exe (BURNTCIGAR)

24. 24 BURNTCIGAR malware have already been detected by our systems

    before. BUT attackers deployed a new version of this malware to bypass AV/EPP/EDR systems. KK.exe (BURNTCIGAR) New version: Old version:

25. 25 BURNTCIGAR using the function DeviceIoControl to exploit the undocumented

    code of the Avast driver, which calls ZwTerminateProcess with the given process identifier to terminate it. KK.exe (BURNTCIGAR)

26. 26 Executable processes killed by kk.exe: KK.exe (BURNTCIGAR)

27. 27 Same activity on other hosts: AntiRootkit Avast driver aswArPot.sys

    SRV_STORAGE SRV_MAIL SRV_Service sc.exe sc.exe sc.exe

28. 28 SRV_MAIL Host was added to monitoring on 20 of

    December:

29. 29 Where are patches? Missing KB (ProxyShell/ProxyLogon fix): • KB5001779

    • KB5003435 • KB5000871

30. 30 SRV_MAIL Activity was detected under the user SqlDbAdmin:

31. 31 Gotoassist as a transfer tool Software like gotoassist is

    also used as a file transport utility to copy files between different systems bypassing any security solution, because that application is allowed in the company. This kind of software is also used for doing pentesting tasks such as computer enumeration. T1570: Lateral Tool Transfer

32. 32 31s.dll, ko.dll and komar65.dll are kind of BUGHATCH backdoor

33. 33 During our investigation, we found interesting dll on HOST_1:

    Who is SqlDbAdmin? addp.dll internals: NetUserAdd T1136.001: Create Account: Local Account

34. 34 Who is SqlDbAdmin? addp.dll internals: T1564.002: Hide Artifacts: Hidden

    Users T1021.001: Remote Services: Remote Desktop Protocol T1112: Modify Registry

35. 35 Timeline Initial access ProxyLogon/ProxyShell/Phishing HOST_1 Dumping credentials on SRV_Service

    Attack on SRV_Storage Attack on SRV_Storage_2 Attack on HOST_2 Attack on SRV_MAIL … -19.12 … -19.12 19.12 at 09:22:37 (UTC) 19.12 at 09:45:37 (UTC) 19.12 at 16:18:19 (UTC) 19.12 at 16:20:37 (UTC) 20.12 at 07:31:24 (UTC) Weren’t in monitoring Detected in monitoring

36. 36 We also found interesting execution of dll on Exchange

    server: ion.dll as a Cobalt Strike beacon T1218.011: System Binary Proxy Execution: Rundll32

37. 37 ion.dll

38. 38 Encrypted data to hide cobalt config: ion.dll Function to

    decrypt this data :

39. 39 C2 server Memory dump of rundll32: C2 Ion.dll Ion.bat

    SMB SMB \\127.0.0.1\admin$\367a266.exe \\127.0.0.1\admin$\f5bca9a.exe rundll32.exe

40. 40 Dropping files from C2 T1572: Protocol Tunneling

41. 41 Isolating hosts

42. 42 TTPs of Cuba Interesting TTPs: • T1014: Rootkit •

    T1562.001: Impair Defenses: Disable or Modify Tools • T1136.001: Create Account: Local Account • T1564.002: Hidden Users • T1555: Credentials from Password Stores

43. 43 IOCs: New IOC’s https://www.virustotal.com/gui/collection/dbd34c9256f65078ee4c57f80427cb069962bbb7af11922cedba1 d63a3ec8911

44. 44 Now all of them are detected by our systems:

    New IOC’s

45. 45 YARA and Sigma rules: https://github.com/BlureL/SigmaYara-Rules

46. 46 YARA and Sigma rules: Sigma rules:

47. 47 YARA and Sigma rules: Yara rules:

48. 48 • Check suspicious activity from legit tools like a

    AnyDesk, GoToAssist and etc; • Patch systems to close various vulnerabilities; • Pay attention to registry changes (especially HKLM\SYSTEM\currentcontrolset\control\terminal server and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList); • Use EDR\EPP; • Monitor list of vulnerable drivers; Protection methods:

49. 49 Mitigations You can found our base mitigation by ransomware

    in our report:

50. 50 A Bring Your Own Vulnerable Driver (BYOVD) attack refers

    to a cybersecurity threat in which an attacker exploits vulnerable kernel-mode drivers to gain unauthorized access to a target system. BYOVD

51. 51 • Monitor known vulnerable drivers. Updating the driver block

    list present on Windows with the latest threat intelligence and IoCs - https://www.loldrivers.io/ • Regularly updating all software, including device drivers, to patch known vulnerabilities. • Always keep track of the drivers installed on your systems and keep them up to date. • Enable hypervisor-protected code integrity (HVCI). • Enable Driver Signature Enforcement. • Use Microsoft vulnerable driver blocklist – https://aka.ms/VulnerableDriverBlockList Protection methods by BYOVD attacks

52. 52 Check your defensive skills

53. None