A member of the Cuba ransomware operation is using previously unknown tactics, methods, and procedures (TTPs), such as a novel RAT (remote access trojan) and a novel local privilege escalation tool.
Researchers at Palo Alto Networks Unit 42 dubbed the threat actor ‘Tropical Scorpius,’ and he is most certainly an associate of the Cuba ransomware operation. In Q1 2022, Cuba ransomware received a slight version, including a modified encryptor with more nuanced choices and the addition of quTox for live victim help.
Tropical Scorpius, on the other hand, represents a change in tactics, perhaps making the Cuba operation more risky and obtrusive. Tropical Scorpius employs the standard Cuba ransomware payload, which has remained essentially unchanged from the operation’s inception in 2019.
Since June 2022, one of the new ways has been leveraging a legal but invalidated NVIDIA certificate stolen and released by LAPSUS to certify a kernel driver dropped during the early stages of an infection. The driver’s job is to find and stop processes associated with security products in order to assist threat actors in evading discovery in the compromised environment.
Tropical Scorpius then downloads a local privilege escalation tool that includes an attack for CVE-2022-24521, a flaw in the Windows Common Log File System Driver that was resolved as a zero-day in April 2022.
According to Unit 42, the hackers used an exploitation approach that appears to have been inspired by security researcher Sergey Kornienko’s extensive write-up. Tr
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: