The Cuba ransomware group, known for its Russian-speaking operators, continues to advance its tactics, posing a significant threat to organizations across the globe. Recent research by Kaspersky has unveiled new versions of the Cuba group’s malware, specifically the BurntCigar malware, showcasing the group’s ongoing evolution.
Kaspersky’s investigation began after an incident was detected on a client’s system in December. The attack led to the deployment of a sophisticated backdoor called “komar65” or BugHatch. This backdoor operates in process memory, executing embedded shellcode and connecting to a command-and-control server. It can receive instructions to download additional software, including notorious tools like Cobalt Strike Beacon and Metasploit. The use of Veeamp in the attack strongly suggests Cuba’s involvement.
The analysis also revealed references to the “komar” folder, a Russian word for “mosquito,” hinting at potential Russian-speaking group members. Further modules were discovered, enhancing the malware’s capabilities, such as system information collection sent via HTTP POST requests. BugHatch has also been equipped to evade security vendor detection through encrypted data and exploit I/O control codes while terminating kernel-level processes.
Cuba has employed a classic double extortion model, threatening victims with data encryption and public exposure. The group’s extensive targeting spans multiple industries across North America, Europe, Oceania, and Asia, primarily focusing on US-based organizations. Their ability to manipulate compilation timestamps and remain dynamic in their tactics poses a considerable challenge for investigators.
Gleb Ivanov, SOC analyst at Kaspersky, emphasizes the gravity of the threat: “This group poses a serious threat to businesses and will steal sensitive data that is used within the organization — source code, software, etc. The innovation of this malware has not [been] seen before by attacks by this group.”
As ransomware groups like Cuba continually refine their methods, organizations must remain vigilant to mitigate potential attacks effectively. Staying informed about emerging cyber threats, updating systems, addressing vulnerabilities, and maintaining a robust defense team are vital defenses in this ever-evolving cybersecurity landscape.