Cyber Security

Cuba ransomware affiliate targets Ukrainian govt agencies

Published

on

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert about potential Cuba Ransomware attacks against critical networks in the country.

Starting on October 21, CERT-UA observed a new wave of phishing emails that impersonated the Press Service of the General Staff of the Armed Forces of Ukraine, urging recipients to click on an embedded link.

Malicious email distributed in Ukraine (CERT-UA)

The link takes the recipient to a third-party web page to supposedly download a document named “Наказ_309.pdf,” but they are shown a fake alert stating that the visitor needs to update their PDF reader software first.

The website then urges the visitor to click on a “DOWNLOAD” button, which leads to the download of an executable (“AcroRdrDCx642200120169_uk_UA.exe”) resembling an Acrobat Reader installer.

However, running this file will install and execute the “rmtpak.dll” DLL file, which is Cuba Ransomware’s signature malware known as “ROMCOM RAT.”

Payload-dropping website (CERT-UA)

ROMCOM was first spotted by researchers at Palo Alto Networks in August 2022, naming the Cuba Ransomware affiliate using the new malware as “Tropical Scorpius.”

This malware allows the threat actors to perform file operations on the host, steal data, spawn spoofed processes, start reverse shells, and more.

“Considering the use of the RomCom backdoor, as well as other features of the related files, we believe it is possible to associate the detected activity with the activity of the group Tropical Scorpius (Unit42) aka UNC2596 (Mandiant), which is responsible for the distribution of Cuba Ransomware,” concludes the CERT-UA announcement.

Another report published yesterday by BlackBerry gives some additional details about the use of ROMCOM against military institutions in Ukraine, explaining that the malicious executable used in the attacks is signed with a valid digital certificate.

ROMCOM signature (BlackBerry)

BlackBerry also highlights other victims of the malware, located in the Philippines, Brazil, and the United States.

In these cases, the attackers use a different payload-dropping site spoofing the legitimate “Advanced IP Scanner” site. Notably, BlackBerry’s report didn’t link ROMCOM RAT to any threat actors.

Second malware-dropping website (BlackBerry)

In September 2022, it was revealed that Cuba Ransomware had hit the small Balkan country of Montenegro, demanding a ransom payment of $10,000,000.

While that incident was initially given a geo-political hue, Cuba Ransomware isn’t among the hackers who have declared interest in hacktivism, and neither did they take sides in the conflict between Russia and Ukraine.

Source: https://www.bleepingcomputer.com/news/security/cuba-ransomware-affiliate-targets-ukrainian-govt-agencies/

Click to comment
Exit mobile version