The Cuba ransomware group is deploying a new malware that is not always detected by modern antivirus programs. Victims are companies all over the world, including in Germany and Austria.
While investigating a customer incident in December 2022, Kaspersky discovered three suspicious files. These files triggered a series of actions that resulted in the download of the 'komar65' library, also known as 'BUGHATCH'. BUGHATCH is a sophisticated backdoor that nests itself in the process memory of a device. Within the space allocated to it, it executes an embedded block of shellcode; To do this, it uses a Windows API that includes numerous functions. For example, commands can be received through a command and control server to download malicious software such as Cobalt Strike Beacon and Metasploit.
Cuba still active with updated toolkit
The fact that Veeamp was also used in this attack strongly suggests that the Cuba ransomware group was involved. The PDB file also refers to the folder “komar”, the Russian word for “mosquito”, which could be an indication of the presence of Russian-speaking members within the group. Kaspersky experts also found additional modules that were distributed by the Cuba group and that expand the functionality of the malware. One of these modules is responsible for collecting system information, which is then sent to a server via HTTP POST requests.
Cuba is a single-file ransomware strain that is difficult to detect due to the way it works without additional libraries. The attackers use a mix of public and proprietary tools, regularly updating their toolkit and using tactics such as BYOVD (Bring Your Own Vulnerable Driver).
Use of BURNTCIGAR prevents detection by antivirus programs
A key feature of their practice is falsifying compilation timestamps to mislead security experts. For example, some samples found in 2020 had a compilation date of June 4, 2020, while the timestamps of more recent versions gave the date as June 19, 1992. Cuba's unique approach includes not only data encryption, but also individually targeted attacks to extract sensitive data and information such as financial documents, bank records, company accounts and source code. Software development companies are particularly at risk here.
During further investigations, Kaspersky experts at VirusTotal discovered new malware samples attributed to the Cuba group. Some of these samples were able to avoid detection by other security vendors. A new version of the BURNTCIGAR malware helped here, which can use encrypted data to evade detection by antivirus programs.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/