Tropical Scorpius, the threat actor behind the Cuba ransomware, has been seen using new tooling in their campaigns, including a new Remote Access Trojan (RAT) and privilege escalation tool. While the Cuba ransomware payload has remained relatively the same, the threat actor is now using new tactics, techniques, and procedures (TTPs) as part of the infection and post-exploitation steps.
To evade detection, Tropical Scorpius leveraged a dropper that writes a kernel driver to the system to target and terminate security products. This driver was signed using an NVIDIA certificate found as part of the LAPSUS NVIDIA leak from February. The actor utilized vulnerability CVE-2022-24521, a logic bug found in the Common Log File System (CLFS) that allows for code execution to occur with System-level privileges, for local privilege escalation on the infected system. To achieve Domain Admin on the network, Tropical Scorpius was seen utilizing a custom tool to exploit CVE-2020-1472, also known as ZeroLogon. ZeroLogon is a vulnerability in Microsoft’s Netlogon process that allows an attacker to impersonate any computer, including a domain controller, and execute remote procedure calls on its behalf. Finally, Tropical Scorpius used a custom RAT, dubbed ROMCOM RAT, to achieve its command and control of infected systems. This RAT uses ICMP for its C2 communication and contains numerous commands, including starting up a reverse shell and taking screenshots of the active desktop.
The evolution of their tooling and TTPs show Tropical Scorpius’ desire to become an even greater threat in the world. It should be expected for them to continue to finetune their tooling and adopt even more sophisticated techniques to infect as many victims as possible.
Due to Tropical Scorpius’ use of numerous vulnerabilities, it is highly recommended to make sure all systems are up to date on patches and that a regular patching process is implemented across the organization. Both CVE-2020-1472 and CVE-2022-24521 have been patched by Microsoft, making these techniques by Tropical Scorpius ineffective against organizations that have implemented them. It is also recommended to deploy an EDR solution across the environment that can perform in-memory inspection and detect process injection techniques. This can not only help with preventative measures, but also with detective measures as well. Finally, it is recommended to deploy active logging capabilities that can be used to detect suspicious behavior. Tropical Scorpius exhibits behaviors that would be considered abnormal in an environment, such as the termination of security products, atypical processes making external network connections, and suspicious behavior stemming from Domain Admin accounts. These are all post exploitation behaviors that can be detected in order to identify many threat groups in addition to the Cuba Ransomware group. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.