Tropical Scorpius, the threat actor behind the Cuba ransomware, has been seen using new tooling in their campaigns, including a new Remote Access Trojan (RAT) and privilege escalation tool. While the Cuba ransomware payload has remained relatively the same, the threat actor is now using new tactics, techniques, and procedures (TTPs) as part of the infection and post-exploitation steps.
To evade detection, Tropical Scorpius leveraged a dropper that writes a kernel driver to the system to target and terminate security products. This driver was signed using an NVIDIA certificate found as part of the LAPSUS NVIDIA leak from February. The actor utilized vulnerability CVE-2022-24521, a logic bug found in the Common Log File System (CLFS) that allows for code execution to occur with System-level privileges, for local privilege escalation on the infected system. To achieve Domain Admin on the network, Tropical Scorpius was seen utilizing a custom tool to exploit CVE-2020-1472, also known as ZeroLogon. ZeroLogon is a vulnerability in Microsoft’s Netlogon process that allows an attacker to impersonate any computer, including a domain controller, and execute remote procedure calls on its behalf. Finally, Tropical Scorpius used a custom RAT, dubbed ROMCOM RAT, to achieve its command and control of infected systems. This RAT uses ICMP for its C2 communication and contains numerous commands, including starting up a reverse shell and taking screenshots of the active desktop.
The evolution of their tooling and TTPs show Tropical Scorpius’ desire to become an even greater threat in the world. It should be expected for them to continue to finetune their tooling and adopt even more sophisticated techniques to infect as many victims as possible.