The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to realize simpler entry to compromised company networks.
The Hancitor (Chancitor) downloader has been in operation since 2016 when Zscaler saw it distributing the Vawtrak information-stealing Trojan. Since then, quite a few campaigns have been seen through the years the place Hancitor installs password-stealers, resembling Pony, Ficker, and extra just lately, Cobalt Strike.
Hancitor is often distributed by way of malicious spam campaigns pretending to be DocuSign invoices, as proven beneath.
When a recipient clicks on the ‘Signal doc’ hyperlink, they may obtain a malicious Phrase doc that tries to persuade the goal to disable protections.
As soon as the protections are disabled, malicious macros will hearth off to obtain and set up the Hancitor downloader.
Cuba ransomware groups up with Hancitor
In a brand new report by cybersecurity agency Group-IB, researchers have detected current Hancitor campaigns dropping Cobalt Strike beacons on contaminated computer systems.
Cobalt Strike is a legit penetration testing toolkit that makes use of deployed beacons, or shoppers, on compromised gadgets to remotely “create shells, execute PowerShell scripts, carry out privilege escalation, or spawn a brand new session to create a listener on the sufferer system.”
Ransomware gangs generally use cracked variations of Cobalt Strike as a part of their assaults to realize a foothold and unfold laterally all through a community.
After the Cobalt Strike beacons are deployed, Group-IB researchers say the risk actors use this distant entry to assemble community credentials, area info, and unfold all through the community.
“The Beacon’s capabilities had been additionally used to scan the compromised community. As well as, the group leveraged some customized instruments for community reconnaissance. The primary software is known as Netping – it’s a easy scanner able to gathering details about alive hosts within the community and saving it right into a textual content file, the opposite software, Protoping, to gather details about accessible community shares.”
“Constructed-in instruments had been additionally abused. For instance, adversary used web view command to gather details about the hosts within the community and nltest utility to gather details about the compromised area,” explains Group-IB in a report launched as we speak.
To maneuver laterally from machine to machine, the risk actors use Distant Desktop, and if their Cobalt Strike beacons had been detected, by way of different backdoor malware resembling SystemBC.
“Ficker stealer wasn’t the one publicly marketed software within the risk actors’ arsenal. One other software, which is turning into increasingly more fashionable amongst numerous ransomware operators – SystemBC. Such further backdoors allowed the attackers to obtain and execute further payloads even when Cobalt Strike exercise was detected and blocked,” the researchers warned.
Whereas shifting by way of the community, unencrypted knowledge is harvested and despatched to distant servers underneath the attacker’s management for use as a part of a double-extortion technique.
When the actors lastly achieve entry to a website admin’s credentials, they deploy the ransomware executable by way of PsExec to encrypt gadgets on the community.
The partnership might pace up assaults
Since its launch on the finish of 2019, Cuba Ransomware has not been significantly lively in comparison with different operations, resembling REvil, Avaddon, Conti, and DoppelPaymer.
On the time of this writing, they’ve revealed the info for 9 firms on their data leak site.
Their most publicized attack was against the ATFS, a extensively used cost processor for native and state governments.
With their assaults now fueled by spam campaigns, we must always anticipate to see an uptick in victims quickly.
It also needs to be famous that whereas Cuba Ransomware makes use of an image of Fidel Castro and is known as after the nation Cuba, a report by cybersecurity firm Profero believes that they’re based mostly out of Russia. It’s because Profero discovered the Russian language on the gang’s knowledge leak web site and through negotiations.