Cuba Ransomware partners with Hancitor for spam-fueled attacks

The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks.

The Hancitor (Chancitor) downloader has been in operation since 2016 when Zscaler saw it distributing the Vawtrak information-stealing Trojan. Since then, numerous campaigns have been seen over the years where Hancitor installs password-stealers, such as Pony, Ficker, and more recently, Cobalt Strike.

Hancitor is usually distributed through malicious spam campaigns pretending to be DocuSign invoices, as shown below.

When a recipient clicks on the 'Sign document' link, they will download a malicious Word document that tries to convince the target to disable protections.

Once the protections are disabled, malicious macros will fire off to download and install the Hancitor downloader.

Cuba ransomware teams up with Hancitor

Similar to how Ryuk and Conti partnered with TrickBot and Egregor and ProLock worked with QBot, the Cuba Ransomware has partnered with Hancitor to gain access to compromised networks.

In a new report by cybersecurity firm Group-IB, researchers have detected recent Hancitor campaigns dropping Cobalt Strike beacons on infected computers.

Cobalt Strike is a legitimate penetration testing toolkit that uses deployed beacons, or clients, on compromised devices to remotely "create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system."

Ransomware gangs commonly use cracked versions of Cobalt Strike as part of their attacks to gain a foothold and spread laterally throughout a network.

After the Cobalt Strike beacons are deployed, Group-IB researchers say the threat actors use this remote access to gather network credentials, domain information, and spread throughout the network.

"The Beacon’s capabilities were also used to scan the compromised network. In addition, the group leveraged some custom tools for network reconnaissance. The first tool is called Netping – it’s a simple scanner capable of collecting information about alive hosts in the network and saving it into a text file, the other tool, Protoping, to collect information about available network shares."

"Built-in tools were also abused. For example, adversary used net view command to collect information about the hosts in the network and nltest utility to collect information about the compromised domain," explains Group-IB in a report released today.

To move laterally from machine to machine, the threat actors use Remote Desktop, and if their Cobalt Strike beacons were detected, through other backdoor malware such as SystemBC.

"Ficker stealer wasn’t the only publicly advertised tool in the threat actors’ arsenal. Another tool, which is becoming more and more popular among various ransomware operators – SystemBC. Such additional backdoors allowed the attackers to download and execute additional payloads even if Cobalt Strike activity was detected and blocked," the researchers warned.

While moving through the network, unencrypted data is harvested and sent to remote servers under the attacker's control to be used as part of a double-extortion strategy.

When the actors finally gain access to a domain admin's credentials, they deploy the ransomware executable via PsExec to encrypt devices on the network.

The partnership may speed up attacks

Since its launch at the end of 2019, Cuba Ransomware has not been particularly active compared to other operations, such as REvil, Avaddon, Conti, and DoppelPaymer.

At the time of this writing, they have published the data for nine companies on their data leak site.

Their most publicized attack was against the ATFS, a widely used payment processor for local and state governments.

With their attacks now fueled by spam campaigns, we should expect to see an uptick in victims soon.

It should also be noted that while Cuba Ransomware uses a picture of Fidel Castro and is named after the country Cuba, a report by cybersecurity firm Profero believes that they are based out of Russia. This is because Profero found the Russian language on the gang's data leak site and during negotiations.