Tech News Bughatch : Cuba Ransomeware Sep 2023 Alert !

​

The Cuba ransomware group is shaking the cybersecurity world with its new shenanigans! In a recent report that we were able to consult, Kaspersky reveals its latest discoveries concerning this simply formidable group. The latter deploys elusive malware and targets organizations on a global scale, jeopardizing companies in various sectors (oil companies, financial services, government agencies), in France and everywhere else. The month of December 2022 was also the starting point of the investigation, punctuated by the discovery of three suspicious files on a client's server, which triggered a series of events which revealed the existence from the komar65 library, also known as Bughatch.

Sophisticated ransomware and a Cuba-Russia link​

​

How does Bughatch, the sophisticated backdoor that cleverly hides in process memory, work? Specifically, it executes an embedded block of shellcode (a string of characters that represents executable binary code), interacting with the Windows API and connecting to a command and control (C2) server waiting for instructions. This backdoor is capable of downloading malware such as Cobalt Strike Beacon and Metasploit. The use of Veeamp suggests strong Cuban involvement in these attacks.

Let's then talk about the term "komar", found in the PDB file. This refers to the Russian word “mosquito”, which suggests a possible presence of Russian-speaking members within the Cuba group, which could make you smile. Further analysis by Kaspersky researchers revealed other modules used by Cuba to improve the functionality of the malware. One of these modules collects system information, transmitted to a server by HTTP POST requests.

Experts have identified new malware samples attributed to Cuba, evading advanced detection by some security vendors. These samples represent recent iterations of Burntcigar malware, which uses encryption to evade antivirus detection.

​

Malware is particularly difficult to detect, and that's the whole problem​

As it stands, cyber specialists emphasize the importance of staying at the forefront of threat reporting and intelligence as ransomware gangs like Cuba evolve rapidly and refine their tactics day by day. There's no mystery: As the cyber threat landscape continues to evolve, knowledge is the best defense against these emerging cybercriminal groups.

The trouble is that Cuba, as a single-file ransomware strain, is particularly difficult to detect. In fact, it doesn't need additional libraries, mind you. The Russian group targets a wide range of sectors, including retail, finance, logistics, government and healthcare agencies, and manufacturing, in various regions around the world. Among the countries concerned, we can cite France, certainly to a lesser extent than others such as Germany, the United States, Australia, China, the United Kingdom, and even Italy.

Cuba's malicious agents use a combination of public and proprietary tools, regularly updating their arsenal. They use tactics like Bring Your Own Vulnerable Driver (BYOVD) and alter timestamps to confuse investigators. Their unique approach not only encrypts data, but also aims to extract sensitive information, making software development companies particularly vulnerable. And even though Cuba has been the center of attention for some time, this group remains active and constantly perfecting their techniques.


How do you think mates !!