The malware family known as Cuba is a ransomware that affects Windows-based systems. It has been used in attacks against financial institutions, technology, and logistics organizations in North and South America as well as Europe. Cuba uses several built-in API functions for discovery, such as GetIpNetTable and NetShareEnum, and can enumerate local drives, disk type, and disk free space. It can check if Russian language is installed on the infected machine by using the function GetKeyboardLayoutList. Cuba has packed payload when delivered that can contain and execute hidden PowerShell windows. Cuba can enumerate processes running on a victim's machine. Cuba can also discover shared resources using the NetShareEnum API call It can use the function GetIpNetTable to recover the last connections to the victim's machine.
Cuba Malware Capabilities:
Cuba may interact with the native OS application programming interface in order to execute behaviors. Additionally, Cuba may use information gathered during discovery to shape follow-on behaviors, including whether or not to fully infect a target and/or attempt specific actions. Cuba may also use hidden windows to conceal malicious activity, and may attempt to get information about running processes on a system. Finally, Cuba may look for folders and drives shared on remote systems, as well as details about the network.
- The Cuba malware may interact with the native OS application programming interface in order to execute behaviors. This could include gathering information about the system and hardware, including version, patches, hotfixes, service packs, and architecture. Cuba may also attempt to gather information about the system language of a victim in order to infer the target's location.
- Cuba can use PowerShell to perform a number of actions, including discovery of information and execution of code.
- Cuba may use hidden windows to conceal malicious activity from users. It may also attempt to get information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network.
- Cuba may attempt to gather information about network configuration and settings, such as IP and MAC addresses, of systems they access or through information discovery of remote systems. They may also perform software packing or virtual machine software protection to conceal their code. Additionally, Cuba may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems.
- Cuba try to hide files such as malicious executables to prevent forensic analysis.
- Cuba may delete files left behind by the actions of their intrusion activity.
- Cuba may attempt to gather information about registered local system services using tools and commands such as `sc query`, `tasklist /svc`, `systemctl --type=service`, and `net start`. They may also encrypt data on target systems or in a network to interrupt availability to system and network resources, in order to extort money from a victim or render data permanently inaccessible.
- Cuba may employ reflective loading to conceal the execution of malicious payloads and may also stop or disable services on a system to render them unavailable to legitimate users. Additionally, Cuba may match or approximate the name or location of legitimate files or resources when naming/placing them in order to evade defenses and observation.
- Cuba may use various methods to gain persistence on a system, including creating or modifying Windows services, modifying access tokens, and logging user keystrokes. These techniques may be used to bypass access controls and acquire sensitive information such as credentials.
Ways to Mitigate Cuba Malware Attacks Capabilities
- Cuba malware can be mitigated in several ways, including monitoring API calls, correlating activity with process lineage, and system and network discovery. All of these techniques can help provide context to events and potentially identify malicious behavior.
- The Cuba malware attacks can be mitigated by monitoring processes and command-line arguments for actions indicative of hidden windows, and by enabling and configuring event logging and PowerShell logging to check for the hidden window style. Additionally, system and network discovery techniques can be used to identify potential Cuba malware activity.
- The Cuba malware can be mitigated by using file scanning to look for known software packers or artifacts of packing techniques. System and network discovery techniques can also help to identify the presence of the malware and any potential lateral movement activities.
- The Cuba malware attacks can be mitigated by restricting scripting for normal users, detecting file obfuscation, and monitoring for known deletion and secure deletion tools.
- The Cuba malware attack can be mitigated by proper execution policy, system and network discovery techniques, and process monitoring.
- The Cuba malware can be mitigated by monitoring for code artifacts associated with reflectively loading code, and by collecting file hashes and monitoring file names and locations.
- Cuba malware attacks can be mitigated in several ways, including monitoring processes and command-line arguments for actions that could create or modify services, collecting service utility execution and service binary path arguments for analysis, and auditing command-line activity for token manipulation. Additionally, keyloggers may be detected by monitoring the Registry and file system for changes, driver installs, and common keylogging API calls.