Privacy Ninja

Hacker Uses New RAT Malware in Cuba Ransomware Attacks

Hacker Uses New RAT Malware in Cuba Ransomware Attacks

A member of the Cuba ransomware operation is employing previously unseen tactics, techniques, and procedures (TTPs), including a novel RAT (remote access trojan) and a new local privilege escalation tool.

The threat actor was named ‘Tropical Scorpius’ by researchers at Palo Alto Networks Unit 42 and is likely an affiliate of the Cuba ransomware operation.

Cuba ransomware underwent a minor refresh in Q1 2022, using an updated encryptor with more nuanced options and adding quTox for live victim support.

However, Tropical Scorpius marks a shift to new tactics, making the Cuba operation potentially more dangerous and intrusive.

Tropical Scorpius TTPs

The threat actor, Tropical Scorpius, uses the standard Cuba ransomware payload, which has remained largely unchanged since the operation launched in 2019.

Also Read: Top 11 Ultimate Cold Calling Guidelines To Boost Your Sales

One of the new techniques since June 2022 is using a legitimate but invalidated NVIDIA certificate stolen and leaked by LAPSUS to sign a kernel driver dropped at the initial stages of an infection.

Digital signature on the driver
Stolen digital signature on the driver (Unit 42)

The driver’s task is to discover processes belonging to security products and terminate them to help the threat actors evade detection in the compromised environment.

Security products targeted by the driver
Security products targeted by the driver (Unit 42)

Next, Tropical Scorpius fetches a local privilege escalation tool that features an exploit for CVE-2022-24521, a flaw in the Windows Common Log File System Driver fixed as a zero-day in April 2022.

According to Unit 42, the hackers implemented an exploitation strategy that appears to be inspired by a detailed write-up by security researcher Sergey Kornienko.

In the next phase, Tropical Scorpius downloads ADFind and Net Scan to perform lateral movement. This is also when the threat actor deploys a new tool that can retrieve cached Kerberos credentials.

Kerberus cache extractor
Kerberus cache extractor (Unit 42)

Another novel technique seen by Unit 42 researchers is using a ZeroLogon hack tool that exploits CVE-2020-1472 to gain DA (domain administrator) privileges.

Also Read: IT Equipment Disposal Singapore and Recycle Services

Zerologon hacktool
The Zerologon hack tool (Unit 42)

Finally, Tropical Scorpius deploys “ROMCOM RAT,” a previously unseen malware that handles C2 communications via ICMP requests performed through Windows API functions.

ROMCOM RAT supports ten commands as listed below:

  • Return connected drive information
  • Return file listings for a specified directory
  • Start up a reverse shell under the name svchelper.exe within the %ProgramData% folder
  • Upload data to C2 as ZIP file, using IShellDispatch to copy files
  • Download data and write to worker.txt in the %ProgramData% folder
  • Delete a specified file
  • Delete a specified directory
  • Spawn a process with PID Spoofing
  • Only handled by ServiceMain, received from C2 server and instructs the process to sleep for 120,000 ms
  • Iterate through running processes and gather process IDs

Unit 42 noticed that Tropical Scorpius compiled a new version of ROMCOM and uploaded it for testing on VirusTotal on June 20, 2022, which pointed to the same C2 address (hardcoded).

The second version added ten new commands on top of the existing 10, giving its remote operations more advanced execution, file upload, and process termination options.

Moreover, the new version supports fetching additional payloads from the C2, like a desktop snapper called “Screenshooter”.

ROMCOM RAT 2.0 downloading Screenshooter from C2
ROMCOM RAT 2.0 downloading Screenshooter from C2 (Unit 42)

Cuba evolving

The appearance of Tropical Scorpius and its new TTPs indicates that Cuba ransomware is evolving into a greater threat, even if the particular RaaS isn’t the most prolific in terms of the number of victims.

Cuba, however, has opted to keep a low profile and follow a milder double-extortion approach, so the actual number of victims is unknown.

The gang has published the stolen files of four victims since June 2022 on their “free” section on the Onion site, while their “paid” offerings haven’t been updated recently.

Considering the time required for negotiation and extortion, we may see the results of the ‘Tropical Scorpius’ update in the second half of the year.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us