Cuba Ransomware Group Unleashes Undetectable Malware

Security researchers at Kaspersky have unveiled research into the activities of the notorious ransomware group known as Cuba. According to a new advisory published by Kaspersky earlier today, the notorious cyber-criminal gang has been targeting organizations worldwide, spanning various industries.

The technical write-up shows that in December 2022, Kaspersky detected a suspicious incident on a client’s system. This initial discovery unearthed three mysterious files that led to the activation of the komar65 library, also referred to as BUGHATCH. 

BUGHATCH is a sophisticated backdoor that operates in process memory, connecting to a Command-and-Control (C2) server to receive instructions. This malware can download software like Cobalt Strike Beacon and Metasploit, and its use of vulnerabilities in the Veeamp backup software strongly suggests Cuba’s involvement.

Kaspersky’s investigation also revealed the presence of Russian-speaking members within the group, indicated by references to the “komar” folder, which translates to “mosquito” in Russian. The group has further enhanced the malware’s capabilities with additional modules, including one responsible for collecting and sending system information to a server via HTTP POST requests.

Additionally, Kaspersky discovered new malware samples attributed to Cuba on VirusTotal, some of which had evaded detection by other security vendors. These samples represent updated versions of the BURNTCIGAR malware, incorporating encrypted data to avoid antivirus detection.

Read more on this exploit: Cuba Ransomware Group Steals Credentials Via Veeam Exploit

Cuba, a single-file ransomware strain, operates without additional libraries, making it challenging to detect. This Russian-speaking group targets various industries across North America, Europe, Oceania and Asia, employing both public and proprietary tools. They continually update their toolkit and use tactics such as BYOVD (Bring Your Own Vulnerable Driver). Notably, they manipulate compilation timestamps to mislead investigators.

Despite their prolonged presence in the cybersecurity spotlight, Cuba remains dynamic and constantly refines its techniques, including data encryption and tailored attacks to extract sensitive information.

In the report, Kaspersky emphasized the importance of staying informed and proactive against evolving cyber-threats and encouraged organizations to follow best practices to safeguard against ransomware.

“Our latest findings underscore the importance of access to the latest reports and threat intelligence. As ransomware gangs like Cuba evolve and refine their tactics, staying ahead of the curve is crucial to effectively mitigate potential attacks,” explained Gleb Ivanov, a cybersecurity expert at Kaspersky.

“With the ever-changing landscape of cyber-threats, knowledge is the ultimate defense against emerging cyber-criminals.”