Cuba Ransomware Gang Continues to Evolve With Dangerous Backdoor

The Russian-speaking ransomware gang continues to update its tactics while managing to steal highly sensitive information from its victims.

old blue car speeding along in Havana
Source: Colin Walton via Alamy Stock Photo

Researchers have uncovered fresh malware samples attributed to ransomware group Cuba, representing new versions of BurntCigar malware, which offers next-level stealth to the group.

Researchers at Kaspersky uncovered the malware in an ongoing investigation, after first detecting an incident on a client's system in December. The attack chain ultimately led to the loading of a library called "komar65" — otherwise known as BugHatch. This custom downloader is a "sophisticated backdoor that deploys in process memory," according to Kaspersky.

"It executes an embedded block of shellcode within the memory space allocated to it using the Windows API," Kaspersky researchers noted in an analysis. "Subsequently, it connects to a command-and-control (C2) server, awaiting further instructions. It can receive commands to download software like Cobalt Strike Beacon and Metasploit. The use of Veeamp in the attack strongly suggests Cuba's involvement."

The security firm added, "Notably, the PDB file references the 'komar' folder, a Russian word for 'mosquito,' indicating the potential presence of Russian-speaking members within the group."

Kaspersky also found additional modules distributed by the Cuba group, enhancing the malware's functionality. One such module is responsible for collecting system information, which is then sent to a server via HTTP POST requests. And, the researchers discovered that BugHatch now has the capability of evading detection from security vendors by way of encrypted data. As Cuba's second proprietary malware, BURNTCIGAR is able to exploit I/O control codes and terminate kernel-level processes.

Cuba has in the past used a classic double extortion model to pressure its victims, with a hybrid encryption that provides a secure method of preventing decryption without the necessary key. But the latest findings prove that groups such as these are growing and evolving, making it all the more difficult to stay ahead of these newly refined, malicious tactics, warns Gleb Ivanov, SOC analyst at Kaspersky.

"This group poses a serious threat to businesses and will steal sensitive data that is used within the organization — source, code, software, etc.," he notes. "The innovation of this malware has not [been] seen before by attacks by this group."

The Need-to-Know for Potential Victims

The Russian-speaking ransomware group has targeted a variety of industries across North America, Europe, Oceania, and Asia, proving that it has a wide reach and the skill to target a diverse range of organizations, though most of its targets are of US origin.

A notable feature of the Cuba gang's operation is its ability to deceive those that are investigating it by altering compilation timestamps — an example of such behavior is when older malware samples found in 2020 had timestamps of that year, while newer versions of the samples had timestamps dating back to 1992.

With the gang's ability to manipulate its pursuers, remain dynamic in its tactics, and extract sensitive information such as financial documents, bank records, and the like, it is essential that vendors and organizations remain vigilant. "As ransomware gangs like Cuba evolve and refine their tactics, staying ahead of the curve is crucial to effectively mitigate potential attacks. With the ever-changing landscape of cyber threats, knowledge is the ultimate defense against emerging cybercriminals," according to Kaspersky's research report.

"It is important to make regular updates, close critical vulnerabilities and keep up with cybersecurity trends, and have a good defense team that can quickly detect and stop such threats," Ivanov says. "Even if you are surrounded by every possible defense, the threat may still get around you."

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights