1. Home
  2. Software
  3. Cuba

Cuba

Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[1]

ID: S0625
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 18 June 2021
Last Modified: 12 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.[1]

Enterprise T1543 .003 创建或修改系统进程: Windows Service

Cuba can modify services by using the OpenService and ChangeServiceConfig functions.[1]

Enterprise T1620 反射性代码加载

Cuba loaded the payload into memory using PowerShell.[1]

Enterprise T1059 .001 命令与脚本解释器: PowerShell

Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.[1]
.003 命令与脚本解释器: Windows Command Shell

Cuba has used cmd.exe /c and batch files for execution.[1]

Enterprise T1486 数据加密以实现影响

Cuba has the ability to encrypt system data and add the ".cuba" extension to encrypted files.[1]

Enterprise T1083 文件和目录发现

Cuba can enumerate files by using a variety of functions.[1]
Enterprise T1489 服务停止

Cuba has a hardcoded list of services and processes to terminate.[1]
Enterprise T1106 本机API

Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.[1]

Enterprise T1027 混淆文件或信息

Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.[1]

.002 Software Packing

Cuba has a packed payload when delivered.[1]

Enterprise T1070 .004 移除指标: File Deletion

Cuba can use the command cmd.exe /c del to delete its artifacts from the system.[1]

Enterprise T1614 .001 系统位置发现: System Language Discovery

Cuba can check if Russian language is installed on the infected machine by using the function GetKeyboardLayoutList.[1]

Enterprise T1082 系统信息发现

Cuba can enumerate local drives, disk type, and disk free space.[1]
Enterprise T1007 系统服务发现

Cuba can query service status using QueryServiceStatusEx function.[1]
Enterprise T1049 系统网络连接发现

Cuba can use the function GetIpNetTable to recover the last connections to the victim's machine.[1]

Enterprise T1016 系统网络配置发现

Cuba can retrieve the ARP cache from the local system by using GetIpNetTable.[1]

Enterprise T1135 网络共享发现

Cuba can discover shared resources using the NetShareEnum API call.[1]

Enterprise T1134 访问令牌操控

Cuba has used SeDebugPrivilege and AdjustTokenPrivileges to elevate privileges.[1]
Enterprise T1105 输入工具传输

Cuba can download files from its C2 server.[1]
Enterprise T1056 .001 输入捕获: Keylogging

Cuba logs keystrokes via polling by using GetKeyState and VkKeyScan functions.[1]
Enterprise T1057 进程发现

Cuba can enumerate processes running on a victim's machine.[1]
Enterprise T1564 .003 隐藏伪装: Hidden Window

Cuba has executed hidden PowerShell windows.[1]

References

  1. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.