Kaspersky security researchers have revealed research into the activities of the notorious ransomware group known as Cuba. According to a new advisory published by Kaspersky earlier today, the notorious cybercriminal gang is targeting organizations across the globe, spanning various industries.
The technical note shows that in December 2022, Kaspersky detected a suspicious incident on a customer’s system. This initial discovery uncovered three mysterious files that led to the activation of the komar65 library, also known as BUGHATCH.
BUGHATCH is a sophisticated backdoor that operates in process memory, connecting to a command and control (C2) server to receive instructions. This malware can download software such as Cobalt Strike Beacon and Metasploit, and its use of Veeamp backup software vulnerabilities strongly suggests Cuban involvement.
Kaspersky’s investigation also revealed the presence of Russian-speaking members within the group, indicated by references to the “komar” file, which translates to “mosquito” in Russian. The group further enhanced the malware’s capabilities with additional modules, including one responsible for collecting and sending system information to a server via HTTP POST requests.
Additionally, Kaspersky discovered new malware samples attributed to Cuba on VirusTotal, some of which had escaped detection by other security vendors. These samples represent updated versions of the BURNTCIGAR malware, incorporating encrypted data to avoid antivirus detection.
Learn more about this exploit: Cuba Ransomware Group Steals Credentials via Veeam Exploit
Cuba, a single-file ransomware strain, works without additional libraries, making it difficult to detect. This Russian-speaking group targets various industries in North America, Europe, Oceania, and Asia, using both public and proprietary tools. They continually update their toolbox and use tactics like BYOVD (Bring Your Own Vulnerable Driver). In particular, they manipulate compilation timestamps to mislead investigators.
Despite its prolonged presence in the cybersecurity spotlight, Cuba remains dynamic and constantly refines its techniques, including data encryption and tailor-made attacks aimed at extracting sensitive information.
In the report, Kaspersky highlighted the importance of staying informed and proactive in the face of evolving cyber threats and encouraged organizations to follow best practices to protect yourself against ransomware.
“Our latest findings highlight the importance of access to the latest threat reports and intelligence. As ransomware gangs like Cuba evolve and refine their tactics, it is crucial to stay ahead of the curve to effectively mitigate potential attacks,” explained Gleb Ivanov, cybersecurity expert at Kaspersky.
“As cyber threats continue to evolve, knowledge is the ultimate defense against emerging cybercriminals. »