Cuba ransomware cartel spoofs Ukraine armed forces

Ukraine’s governmental Computer Emergency Response Team (CERT UA) issued a warning earlier this week of an apparent Cuba ransomware campaign that is spoofing the press office of the General Staff of the Armed Forces of Ukraine in its phishing lures.

The malicious emails contain links to a third-party web resource to download a file, which leads to a web page that contains a message advising the victim to update their PDF reader. If the download button is clicked, an executable is downloaded to the system.

Ultimately, the attack chain leads to the deployment of a remote access trojan (RAT) known as Romcom, which is a relatively new malware known to be used by the operator of the Cuba ransomware, tracked by CERT-UA as UAC-0132, by Palo Alto Networks’ Unit 42 as Tropical Scorpius, and by Mandiant as UNC2596.

Pixel Privacy’s Chris Hauk commented: “We can expect to see attacks like this to be on the rise as long as the war continues between Ukraine and Russia. While I would normally stress the importance of educating users as to the risks of clicking links and opening attachments in unsolicited emails, I know that trying to survive in a war-torn country doesn’t leave much time for educational activities.

“Unfortunately, for-profit hacking groups are joining in on the cyber attacks against targets in Ukraine, increasing users’ cyber risks.”

Paul Bischoff, consumer privacy advocate at Comparitech, added: “Ukraine has been under a deluge of cyber attacks since the start of Russia’s invasion, and that’s not going to stop any time soon. This case is a fairly typical phishing message designed to trick the victim into downloading malware.

“It can be avoided by following a few simple best practices for operational security. Never click on links or messages in unsolicited emails, and always check the domain of the sender’s email address. Unfortunately, this campaign likely targeted hundreds or thousands of people, and only a fraction of them need to fall victim for the attack to be successful.”

According to Unit 42, Cuba first surfaced in late 2019 and has named and shamed over 60 victims on its leak site since then – its total number of victims is likely higher. It has likely netted at least $43.9m in ransom payments. It has targeted predominantly organisations in the US, but also in Australia, Austria, Canada, Colombia, India, Italy, Kuwait, Italy, Taiwan and the UAE.

Earlier this year, alongside a number of other new tactics, techniques and procedures (TTPs), the Cuba operation started to deploy Romcom, a custom RAT/backdoor that contains a unique command and control (C2) protocol and seems to be under active development.

“The group’s activity makes it clear that an approach to tradecraft using a hybrid of more nuanced tools focusing on low-level Windows internals for defence evasion and local privilege escalation can be highly effective during an intrusion,” the Unit 42 research team wrote. “Coupled with a splash of well-adopted and successful crimeware techniques, this presents unique challenges to defenders.

“Unit 42 recommends that defenders have advanced logging capabilities deployed and configured properly such as Sysmon, Windows Command Line logging and PowerShell logging – ideally forwarding to a security information and event management tool [SIEM] to create queries and detection opportunities. Keep computer systems patched and up to date wherever possible to reduce attack surface related to exploitation techniques.”