(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
Mandiant
Written by: Tyler McLellan, Joshua Shilko, Shambavi Sadayappan
In 2021, Mandiant observed some threat actors deploying ransomware increasingly shift to exploiting vulnerabilities as an initial infection vector. UNC2596, a threat actor that deploys COLDDRAW ransomware, publicly known as Cuba Ransomware, exemplifies this trend. While public reporting has highlighted CHANITOR campaigns as precursor for these ransomware incidents, Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021. The content of this blog focuses on UNC2596 activity which has led to the deployment of COLDDRAW ransomware.
UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest it’s exclusively used by the group. During intrusions, these threat actors have used webshells to load the TERMITE in-memory dropper with subsequent activity involving multiple backdoors and built-in Windows utilities. Beyond commonplace tools, like Cobalt Strike BEACON and NetSupport, UNC2596 has used novel malware, including BURNTCIGAR to disable endpoint protection, WEDGECUT to enumerate active hosts, and the BUGHATCH custom downloader. In incidents where COLDDRAW was deployed, UNC2596 used a multi-faceted extortion model where data is stolen and leaked on the group's shaming website, in addition to encryption using COLDDRAW ransomware. COLDDRAW operations have impacted dozens of organizations across more than ten countries, including those within critical infrastructure.
Victimology
The threat actors behind COLDDRAW ransomware attacks have not shied away from sensitive targets (Figure 1). Their victims include utilities providers, government agencies, and organizations that support non-profits and healthcare entities, however, we have not observed them attacking hospitals or entities that provide urgent care. Around 80% of impacted victim organizations are based in North America, but they have also impacted several countries in Europe as well as other regions (Figure 2).
Figure 1: Alleged COLDDRAW victims by industry
Figure 2: Alleged COLDDRAW victims by country
Shaming Website
Since at least early 2021, COLDDRAW ransomware victims have been publicly extorted by the threat actors who threaten to publish or sell stolen data (Figure 3). Each shaming post includes information on the “date the files were received.” While the shaming site was not included in ransom notes until early 2021, one of the entries on the site states that the files were received in November 2019. This is consistent with earliest samples uploaded to public malware repositories and may represent the earliest use of the ransomware. Notably, while the data associated with most of the victims listed on this site are provided for free, there is a paid section which listed only a single victim at the time of publication.
Figure 3: Cuba (aka COLDDRAW) Ransomware Shaming Tor site (2021-12-31)
Attack Lifecycle
UNC2596 incidents that have led to COLDDRAW ransomware deployment have involved a mix of public and private tools, some of which are believed to be private to them. The threat actors use several malware and utilities that are publicly available including NetSupport, Cobalt Strike BEACON, built-in Windows capabilities such as PsExec, RDP, and PowerShell, malware available for purchase such as WICKER, and exploits with publicly available proof-of-concept code. UNC2596 also uses several tools and scripts that we have not observed in use by other threat activity clusters to date, including BUGHATCH, BURNTCIGAR, WEDGECUT, and COLDDRAW. See the “Notable Malware and Tools” section for additional detail.
Initial Reconnaissance / Initial Compromise
Mandiant has observed UNC2596 frequently leverage vulnerabilities affecting public-facing Microsoft Exchange infrastructure as an initial compromise vector in recent COLDDRAW intrusions s where the initial vector was identified. The threat actors likely perform initial reconnaissance activities to identify Internet-facing systems that may be vulnerable to exploitation.
Establish Foothold
In COLDDRAW ransomware incidents, where initial access was gained via Microsoft Exchange vulnerabilities, UNC2596 subsequently deployed webshells to establish a foothold in the victim network. Mandiant has also observed these actors deploy a variety of backdoors to establish a foothold, including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which have been deployed using the TERMITE in-memory dropper.
Escalate Privileges
COLDDRAW ransomware incidents have mainly involved the use of credentials from valid accounts to escalate privileges. In some cases, the source of these credentials is unknown, while in other cases, UNC2596 leveraged credential theft tools such as Mimikatz and WICKER. We have also observed these threat actors manipulating or creating Windows accounts and modifying file access permissions. In one intrusion, UNC2596 created a user account and added it to the administrator and RDP groups.
Internal Reconnaissance
UNC2596 has performed internal reconnaissance with the goals of identifying active network hosts that are candidates for encryption and identifying files to exfiltrate for use in their multi-faceted extortion scheme. The threat actors have used WEDGECUT, a reconnaissance tool typically with the filename check.exe. It identifies active hosts by sending PING requests to a list of hosts generated by a PowerShell script named comps2.ps1 which uses the Get-ADComputer cmdlet to enumerate the Active Directory. The threat actors have interactively browsed file systems to identify files of interest. Additionally, UNC2596 has routinely used a script named shar.bat to map all drives to network shares, which may assist in user file discovery (Figure 4).
net share C=C:\ /grant:everyone,FULL
net share D=D:\ /grant:everyone,FULL
net share E=E:\ /grant:everyone,FULL
net share F=F:\ /grant:everyone,FULL
net share G=G:\ /grant:everyone,FULL
net share H=H:\ /grant:everyone,FULL
net share I=I:\ /grant:everyone,FULL
net share J=J:\ /grant:everyone,FULL
net share L=L:\ /grant:everyone,FULL
net share K=K:\ /grant:everyone,FULL
net share M=M:\ /grant:everyone,FULL
net share X=X:\ /grant:everyone,FULL
net share Y=Y:\ /grant:everyone,FULL
net share W=W:\ /grant:everyone,FULL
net share Z=Z:\ /grant:everyone,FULL
net share V=V:\ /grant:everyone,FULL
net share O=O:\ /grant:everyone,FULL
net share P=P:\ /grant:everyone,FULL
net share Q=Q:\ /grant:everyone,FULL
net share R=R:\ /grant:everyone,FULL
net share S=S:\ /grant:everyone,FULL
net share T=T:\ /grant:everyone,FULLMove Laterally/Maintain Presence
During COLDDRAW incidents, UNC2596 actors have used several methods for lateral movement including RDP, SMB, and PsExec, frequently using BEACON to facilitate this movement. Following lateral movement, the threat actors deploy various backdoors including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which are often deployed using the TERMITE in-memory dropper. These backdoors are sometimes executed using PowerShell launchers and have in some cases used predictable filenames. For example, NetSupport-related scripts and executables observed during COLDDRAW incidents have typically used the filename ra or ra<#> whereas BUGHATCH scripts and executables have used the filename komar or komar<#>, followed by the appropriate extension.
Complete Mission
In order to complete their mission of multi-faceted extortion, the UNC2596 attempts to steal relevant user files and then identify and encrypt networked machines. To facilitate encryption, and possibly to assist with collection efforts, the threat actors have used a batch script named shar.bat which maps each drive to a network share (Figure 4). These newly created shares are then available for encryption by COLDDRAW. During a more recent intrusion involving COLDDRAW, UNC2596 deployed the BURNTCIGAR utility using a batch script named av.bat. BURNTCIGAR is a utility first observed in November 2021 which terminates processes associated with endpoint security software to allow their ransomware and other tools to execute uninhibited. UNC2596 has also been observed exfiltrating data prior to encrypting victim systems. To date, we have not observed UNC2596 using any cloud storage providers for data exfiltration; rather, they prefer to exfiltrate data to their BEACON infrastructure. The threat actors then threaten to publish data of organizations that do not pay a ransom on their shaming site (Figure 5).
Good day. All your files are encrypted. For decryption contact us.
Write here cloudkey[@]cock.li
reserve admin[@]cuba-supp.com
jabber cuba_support[@]exploit.im
We also inform that your databases, ftp server and file server
were downloaded by us to our servers.
If we do not receive a message from you within three days, we
regard this as a refusal to negotiate.
Check our platform: <REDACTED>[.]onion/
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software,
it may cause permanent data loss.
* Do not stop process of encryption, because partial encryption
cannot be decrypted.Notable Malware and Tools
In addition to the use of publicly available malware and built-in utilities, Mandiant has observed UNC2596 use malware that is believed to be private to these threat actors, such as WEDGECUT, BUGHATCH, BURNTCIGAR, and COLDDRAW, or malware that is believed to be used by a limited number of threat actors, such as TERMITE.
WEDGECUT
WEDGECUT, which has been observed with the filename check.exe, is a reconnaissance tool that takes an argument containing a list of hosts or IP addresses and checks whether they are online using ICMP packets. This utility’s functionality is implemented using the IcmpCreateFile, IcmpSendEcho, and IcmpCloseFile APIs to send a buffer containing the string “Date Buffer”. In practice, the list provided to WEDGECUT has been generated using a PowerShell script that enumerates the Active Directory using the Get-ADComputer cmdlet.
BUGHATCH
BUGHATCH is a downloader that executes arbitrary code on the compromised system downloaded from a C&C server. The code sent by the C&C server includes PE files and PowerShell scripts. BUGHATCH has been loaded in-memory by a dropper written in PowerShell or loaded by a PowerShell script from a remote URL.
BURNTCIGAR
BURNTCIGAR is a utility that terminates processes at the kernel level by exploiting an Avast driver’s undocumented IOCTL code (Table 1). The malware terminates targeted processes using the functionDeviceIoControlto exploit the undocumented0x9988C094IOCTL code of the Avast driver, which callsZwTerminateProcesswith the given process identifier. We have observed a batch script launcher that creates and starts a kernel service calledaswSP_ArPot2loading binary fileC:\windows\temp\aswArPot.sys(legitimate Avast driver with SHA256 hash 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1).
To deploy BURNTCIGAR at a victim, the actor brings their own copy of the vulnerable Avast driver and installs it at a service.
COLDDRAW
COLDDRAW is the name Mandiant uses to track the ransomware observed in Cuba Ransomware operations. This ransomware appends the .cuba file extension to encrypted files. When executed, it terminates services associated with common server applications and encrypts files on the local filesystem and attached network drives using an embedded RSA key. Encrypted files are rewritten with a COLDDRAW-generated header prior to the encrypted file contents. For large files, only the beginning and end of the file will be encrypted.
TERMITE
TERMITE is a password-protected memory-only dropper which contains an encrypted shellcode payload. Observed payloads have included BEACON, METASPLOIT stager, or BUGHATCH. TERMITE requires the actor to specify the ClearMyTracksByProcessexport and supply a password as a command line option to operate successfully (Figure 6). Mandiant suspects that TERMITE may be available to multiple groups and is not exclusively used by UNC2596.
Rundll32.exe c:\windows\temp\komar.dll,ClearMyTracksByProcess 11985756
Tracking TERMITE
During UNC2596 intrusions involving COLDDRAW, the actors load tools and malware from web accessible systems that were also typically used for BEACON. Over a period of approximately six months, Mandiant Advanced Practices tracked a TERMITE loader at hxxp://45.32.229[.]66/new.dll which used the password 11985756 to decode various BEACON payloads. Ongoing analysis of TERMITE payloads collected during this timeframe showed that TERMITE underwent modifications to evade detections. UNC2596 also began using the TERMITE password 11985757 in October 2021.
CHANITOR Overlaps
Mandiant has not responded to any intrusions where we have directly observed CHANITOR malware lead to COLDDRAW ransomware; however, we have identified overlaps between CHANITOR-related operations and COLDDRAW incidents. These include infrastructure overlaps, common code signing certificates, use of a shared packer, and naming similarities for domains, files, and URL paths, among others.
- The code signing certificate with the Common Name FDFWJTORFQVNXQHFAH has been used to sign COLDDRAW payloads, as well as SENDSAFE payloads distributed by CHANITOR. Mandiant has not observed the certificate used by other threat actors.
- COLDDRAW payloads and SENDSAFE payloads distributed by CHANITOR have used a shared packer that we refer to as LONGFALL. LONGFALL, which is also known as CryptOne, has been used with a variety of malware families.
- The WICKER stealer has been used in both CHANITOR-related post-exploitation activity and COLDDRAW incidents, including samples sharing the same command and control (C&C) server.
- Payloads distributed through CHANITOR and payloads identified in COLDDRAW ransomware incidents have masqueraded as the same legitimate applications including mDNSResponder and Java.
- Public reporting has also highlighted some overlaps between COLDDRAW and ZEPPELIN, another ransomware that has reportedly been distributed via CHANITOR.
Implications
As the number of vulnerabilities identified and publicly disclosed continues to increase year after year, Mandiant has also observed an increase in the use of vulnerabilities as an initial compromise vector by ransomware threat actors including utilizing both zero-day and n-day vulnerabilities in their activity; notable examples include UNC2447 and FIN11. Shifting towards vulnerabilities for initial access could offer threat actors more accurate targeting and higher success rates when compared to malicious email campaigns, which rely more on uncontrollable factors, such as victims’ interacting with malicious links or documents. The rise in zero-day usage specifically could be reflective of significant funds and resources at the disposal of ransomware operators, which are being directed towards exploit research and development or the purchasing of exploits from trusted brokers. However, threat actors do not have to use zero-days to be effective. A subset of n-day vulnerabilities are often considered attractive targets for threat actors due to their impact of publicly exposed products, ability to facilitate code execution after successful exploitation, and the availability of significant technical details and/or exploit code in public venues. As the number of vulnerabilities publicly disclosed continues to rise, we anticipate threat actors, including ransomware operators, to continue to exploit vulnerabilities in their operations.
Acknowledgements
With thanks to Thomas Pullen and Adrian Hernandez for technical research, and Nick Richard for technical review.
MITRE ATT&CK
Mandiant has observed COLDDRAW activity involving the following techniques in COLDDRAW intrusions:
Mandiant Security Validation
In addition to previously released Actions, the Mandiant Security Validation (Validation) Behavior Research Team (BRT) has created VHR20220223, which will also be released today, for tactics associated with UNC2596.
A102-561, Malicious File Transfer - TERMITE, Download, Variant #3
A102-560, Malicious File Transfer - TERMITE, Download, Variant #4
A102-559, Command and Control - TERMITE, DNS Query, Variant #1
A102-558, Malicious File Transfer - WEDGECUT, Download, Variant #1
A102-557, Malicious File Transfer - TERMITE, Download, Variant #2
A102-556, Malicious File Transfer - TERMITE, Download, Variant #1
A102-555, Malicious File Transfer - BURNTCIGAR, Download, Variant #4
A102-554, Malicious File Transfer - BURNTCIGAR, Download, Variant #3
A102-553, Malicious File Transfer - BURNTCIGAR, Download, Variant #2
A102-552, Malicious File Transfer - BURNTCIGAR, Download, Variant #1
A102-572, Malicious File Transfer - BUGHATCH, Download, Variant #4
A102-551, Malicious File Transfer - BUGHATCH, Download, Variant #3
A102-550, Malicious File Transfer - BUGHATCH, Download, Variant #2
A102-549, Malicious File Transfer - BUGHATCH, Download, Variant #1
A101-830 Command and Control - COLDDRAW, DNS Query
A101-831 Malicious File Transfer - COLDDRAW, Download, Variant #2
A101-832 Malicious File Transfer - COLDDRAW, Download, Variant #3
A101-833 Malicious File Transfer - COLDDRAW, Download, Variant #4
A101-834 Malicious File Transfer - COLDDRAW, Download, Variant #5
A101-835 Malicious File Transfer - COLDDRAW, Download, Variant #6
A104-800 Protected Theater - COLDDRAW, Execution
A151-079 Malicious File Transfer - COLDDRAW, Download, Variant #1
A100-308 Malicious File Transfer - CHANITOR, Download
A100-309 Command and Control - CHANITOR, Post System Info
A150-008 Command and Control - CHANITOR, Check-in and Response
A150-047 Malicious File Transfer - CHANITOR, Download, Variant #2
A150-306 Malicious File Transfer - CHANITOR, Download, Variant #1
YARA Signatures
The following YARA rules are not intended to be used on production systems or to inform blocking rules without first being validated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of false positives. These rules are intended to serve as a starting point for hunting efforts to identify samples, however, they may need adjustment over time if the malware family changes.
rule TERMITE
{
meta:
author = "Mandiant"
strings:
$sb1 = { E8 [4] 3D 5? E3 B6 00 7? }
$sb2 = { 6B ?? 0A [3] 83 E9 30 }
$si1 = "VirtualAlloc" fullword
$ss1 = "AUTO" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) ==
0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B)
and all of them
}
rule FDFWJTORFQVNXQHFAH
{
meta:
author = "Mandiant"
description = "Detecting packer or cert."
md5 = "939ab3c9a4f8eab524053e5c98d39ec9"
strings:
$cert = "FDFWJTORFQVNXQHFAH"
$s1 = "VLstuTmAlanc"
$s2 = { 54 68 F5 73 20 70 00 00 00 00 00 00 00 BE 66 67 72 BD
68 20 63 BD 69 6E 6F C0 1F 62 65 EC 72 75 6E FC 6D 6E 20 50 46
53 20 B9 66 64 65 }
$s3 = "ViGuua!Gre"
$s4 = "6seaIdFiYdA"
condition:
(uint16(0) == 0x5A4D) and filesize < 2MB and ( $cert or 2 of ($s*) )
}