Cuba ransomware affiliate targets Ukraine, CERT-UA warns

The Ukraine Computer Emergency Response Team (CERT-UA) warns of Cuba Ransomware attacks against critical networks in the country.

The Ukraine Computer Emergency Response Team (CERT-UA) warns of potential Cuba Ransomware attacks against local critical infrastructure.

On October 21, 2022, the Ukraine CERT-UA uncovered a phishing campaign impersonating the Press Service of the General Staff of the Armed Forces of Ukraine. The phishing messages included a link to a third-party website for downloading a document titled ‘Наказ_309.pdf’.

The web page was crafted to trick the reader into updating the software (PDF Reader) to read the document.

Upon clicking the “DOWNLOAD” button, the executable file named “AcroRdrDCx642200120169_uk_UA.exe” will be downloaded to the machine.

Running the above executable will decode and run the “rmtpak.dll” DLL file which is the ROMCOM RAT.

The researchers associated the use of the RomCom backdoor with threat actor Tropical Scorpius (aka UNC2596), tracked by CERT-UA as UAC-0132, which is responsible for the distribution of the Cuba Ransomware.

“Considering the use of the RomCom backdoor, as well as other features of the related files, we believe it is possible to associate the detected activity with the activity of the group Tropical Scorpius (Unit42) aka UNC2596 (Mandiant), which is responsible for the distribution of Cuba Ransomware; CERT-UA monitors activity under the identifier UAC-0132.” reads the alert published by Ukraine CERT.

Considering the use of the RomCom backdoor, as well as other features of the related files, we believe it is possible to associate the detected activity with the activity of the group Tropical Scorpius (Unit42) aka UNC2596 (Mandiant), which is responsible for the distribution of Cuba Ransomware; CERT-UA monitors activity under the identifier UAC-0132.

Beginning in early May 2022, the Palo Alto Network’s Unit 42 observed the Tropical Scorpius threat actor deploying Cuba Ransomware using novel tools and techniques, including the custom backdoor RomCom.

The alert also includes Indicators of Compromise for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cuba ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]