(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
In 2021, Mandiant observed some threat actors deploying ransomware increasingly shift to exploiting vulnerabilities as an initial infection vector. UNC2596, a threat actor that deploys COLDDRAW ransomware, publicly known as Cuba Ransomware, exemplifies this trend. While public reporting has highlighted CHANITOR campaigns as precursor for these ransomware incidents, Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021. The content of this blog focuses on UNC2596 activity which has led to the deployment of COLDDRAW ransomware.
UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest it’s exclusively used by the group. During intrusions, these threat actors have used webshells to load the TERMITE in-memory dropper with subsequent activity involving multiple backdoors and built-in Windows utilities. Beyond commonplace tools, like Cobalt Strike BEACON and NetSupport, UNC2596 has used novel malware, including BURNTCIGAR to disable endpoint protection, WEDGECUT to enumerate active hosts, and the BUGHATCH custom downloader. In incidents where COLDDRAW was deployed, UNC2596 used a multi-faceted extortion model where data is stolen and leaked on the group's shaming website, in addition to encryption using COLDDRAW ransomware. COLDDRAW operations have impacted dozens of organizations across more than ten countries, including those within critical infrastructure.
The threat actors behind COLDDRAW ransomware attacks have not shied away from sensitive targets (Figure 1). Their victims include utilities providers, government agencies, and organizations that support non-profits and healthcare entities, however, we have not observed them attacking hospitals or entities that provide urgent care. Around 80% of impacted victim organizations are based in North America, but they have also impacted several countries in Europe as well as other regions (Figure 2).
Since at least early 2021, COLDDRAW ransomware victims have been publicly extorted by the threat actors who threaten to publish or sell stolen data (Figure 3). Each shaming post includes information on the “date the files were received.” While the shaming site was not included in ransom notes until early 2021, one of the entries on the site states that the files were received in November 2019. This is consistent with earliest samples uploaded to public malware repositories and may represent the earliest use of the ransomware. Notably, while the data associated with most of the victims listed on this site are provided for free, there is a paid section which listed only a single victim at the time of publication.
UNC2596 incidents that have led to COLDDRAW ransomware deployment have involved a mix of public and private tools, some of which are believed to be private to them. The threat actors use several malware and utilities that are publicly available including NetSupport, Cobalt Strike BEACON, built-in Windows capabilities such as PsExec, RDP, and PowerShell, malware available for purchase such as WICKER, and exploits with publicly available proof-of-concept code. UNC2596 also uses several tools and scripts that we have not observed in use by other threat activity clusters to date, including BUGHATCH, BURNTCIGAR, WEDGECUT, and COLDDRAW. See the “Notable Malware and Tools” section for additional detail.
Initial Reconnaissance / Initial Compromise
Mandiant has observed UNC2596 frequently leverage vulnerabilities affecting public-facing Microsoft Exchange infrastructure as an initial compromise vector in recent COLDDRAW intrusions s where the initial vector was identified. The threat actors likely perform initial reconnaissance activities to identify Internet-facing systems that may be vulnerable to exploitation.
In COLDDRAW ransomware incidents, where initial access was gained via Microsoft Exchange vulnerabilities, UNC2596 subsequently deployed webshells to establish a foothold in the victim network. Mandiant has also observed these actors deploy a variety of backdoors to establish a foothold, including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which have been deployed using the TERMITE in-memory dropper.
COLDDRAW ransomware incidents have mainly involved the use of credentials from valid accounts to escalate privileges. In some cases, the source of these credentials is unknown, while in other cases, UNC2596 leveraged credential theft tools such as Mimikatz and WICKER. We have also observed these threat actors manipulating or creating Windows accounts and modifying file access permissions. In one intrusion, UNC2596 created a user account and added it to the administrator and RDP groups.
UNC2596 has performed internal reconnaissance with the goals of identifying active network hosts that are candidates for encryption and identifying files to exfiltrate for use in their multi-faceted extortion scheme. The threat actors have used WEDGECUT, a reconnaissance tool typically with the filename check.exe. It identifies active hosts by sending PING requests to a list of hosts generated by a PowerShell script named comps2.ps1 which uses the Get-ADComputer cmdlet to enumerate the Active Directory. The threat actors have interactively browsed file systems to identify files of interest. Additionally, UNC2596 has routinely used a script named shar.bat to map all drives to network shares, which may assist in user file discovery (Figure 4).
net share C=C:\ /grant:everyone,FULL
net share D=D:\ /grant:everyone,FULL
net share E=E:\ /grant:everyone,FULL
net share F=F:\ /grant:everyone,FULL
net share G=G:\ /grant:everyone,FULL
net share H=H:\ /grant:everyone,FULL
net share I=I:\ /grant:everyone,FULL
net share J=J:\ /grant:everyone,FULL
net share L=L:\ /grant:everyone,FULL
net share K=K:\ /grant:everyone,FULL
net share M=M:\ /grant:everyone,FULL
net share X=X:\ /grant:everyone,FULL
net share Y=Y:\ /grant:everyone,FULL
net share W=W:\ /grant:everyone,FULL
net share Z=Z:\ /grant:everyone,FULL
net share V=V:\ /grant:everyone,FULL
net share O=O:\ /grant:everyone,FULL
net share P=P:\ /grant:everyone,FULL
net share Q=Q:\ /grant:everyone,FULL
net share R=R:\ /grant:everyone,FULL
net share S=S:\ /grant:everyone,FULL
net share T=T:\ /grant:everyone,FULL
Move Laterally/Maintain Presence
During COLDDRAW incidents, UNC2596 actors have used several methods for lateral movement including RDP, SMB, and PsExec, frequently using BEACON to facilitate this movement. Following lateral movement, the threat actors deploy various backdoors including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which are often deployed using the TERMITE in-memory dropper. These backdoors are sometimes executed using PowerShell launchers and have in some cases used predictable filenames. For example, NetSupport-related scripts and executables observed during COLDDRAW incidents have typically used the filename ra or ra<#> whereas BUGHATCH scripts and executables have used the filename komar or komar<#>, followed by the appropriate extension.
In order to complete their mission of multi-faceted extortion, the UNC2596 attempts to steal relevant user files and then identify and encrypt networked machines. To facilitate encryption, and possibly to assist with collection efforts, the threat actors have used a batch script named shar.bat which maps each drive to a network share (Figure 4). These newly created shares are then available for encryption by COLDDRAW. During a more recent intrusion involving COLDDRAW, UNC2596 deployed the BURNTCIGAR utility using a batch script named av.bat. BURNTCIGAR is a utility first observed in November 2021 which terminates processes associated with endpoint security software to allow their ransomware and other tools to execute uninhibited. UNC2596 has also been observed exfiltrating data prior to encrypting victim systems. To date, we have not observed UNC2596 using any cloud storage providers for data exfiltration; rather, they prefer to exfiltrate data to their BEACON infrastructure. The threat actors then threaten to publish data of organizations that do not pay a ransom on their shaming site (Figure 5).
Good day. All your files are encrypted. For decryption contact us.
Write here cloudkey[@]cock.li
We also inform that your databases, ftp server and file server were downloaded by us to our servers.
If we do not receive a message from you within three days, we regard this as a refusal to negotiate.
Check our platform: <REDACTED>[.]onion/
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software,
it may cause permanent data loss.* Do not stop process of encryption, because partial encryption cannot be decrypted.
Notable Malware and Tools
In addition to the use of publicly available malware and built-in utilities, Mandiant has observed UNC2596 use malware that is believed to be private to these threat actors, such as WEDGECUT, BUGHATCH, BURNTCIGAR, and COLDDRAW, or malware that is believed to be used by a limited number of threat actors, such as TERMITE.
WEDGECUT, which has been observed with the filename check.exe, is a reconnaissance tool that takes an argument containing a list of hosts or IP addresses and checks whether they are online using ICMP packets. This utility’s functionality is implemented using the IcmpCreateFile, IcmpSendEcho, and IcmpCloseFile APIs to send a buffer containing the string “Date Buffer”. In practice, the list provided to WEDGECUT has been generated using a PowerShell script that enumerates the Active Directory using the Get-ADComputer cmdlet.
BUGHATCH is a downloader that executes arbitrary code on the compromised system downloaded from a C&C server. The code sent by the C&C server includes PE files and PowerShell scripts. BUGHATCH has been loaded in-memory by a dropper written in PowerShell or loaded by a PowerShell script from a remote URL.
BURNTCIGAR is a utility that terminates processes at the kernel level by exploiting an Avast driver’s undocumented IOCTL code (Table 1). The malware terminates targeted processes using the function DeviceIoControl to exploit the undocumented 0x9988C094 IOCTL code of the Avast driver, which calls ZwTerminateProcess with the given process identifier. We have observed a batch script launcher that creates and starts a kernel service called aswSP_ArPot2 loading binary file C:\windows\temp\aswArPot.sys (legitimate Avast driver with SHA256 hash 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1).
To deploy BURNTCIGAR at a victim, the actor brings their own copy of the vulnerable Avast driver and installs it at a service.
Executable Processes Killed by BURNTCIGAR
Endpoint Agent Tray.exe
COLDDRAW is the name Mandiant uses to track the ransomware observed in Cuba Ransomware operations. This ransomware appends the .cuba file extension to encrypted files. When executed, it terminates services associated with common server applications and encrypts files on the local filesystem and attached network drives using an embedded RSA key. Encrypted files are rewritten with a COLDDRAW-generated header prior to the encrypted file contents. For large files, only the beginning and end of the file will be encrypted.
TERMITE is a password-protected memory-only dropper which contains an encrypted shellcode payload. Observed payloads have included BEACON, METASPLOIT stager, or BUGHATCH. TERMITE requires the actor to specify the ClearMyTracksByProcess export and supply a password as a command line option to operate successfully (Figure 6). Mandiant suspects that TERMITE may be available to multiple groups and is not exclusively used by UNC2596.
|Rundll32.exe c:\windows\temp\komar.dll,ClearMyTracksByProcess 11985756|
During UNC2596 intrusions involving COLDDRAW, the actors load tools and malware from web accessible systems that were also typically used for BEACON. Over a period of approximately six months, Mandiant Advanced Practices tracked a TERMITE loader at hxxp://45.32.229[.]66/new.dll which used the password 11985756 to decode various BEACON payloads. Ongoing analysis of TERMITE payloads collected during this timeframe showed that TERMITE underwent modifications to evade detections. UNC2596 also began using the TERMITE password 11985757 in October 2021.
Mandiant has not responded to any intrusions where we have directly observed CHANITOR malware lead to COLDDRAW ransomware; however, we have identified overlaps between CHANITOR-related operations and COLDDRAW incidents. These include infrastructure overlaps, common code signing certificates, use of a shared packer, and naming similarities for domains, files, and URL paths, among others.
- The code signing certificate with the Common Name FDFWJTORFQVNXQHFAH has been used to sign COLDDRAW payloads, as well as SENDSAFE payloads distributed by CHANITOR. Mandiant has not observed the certificate used by other threat actors.
- COLDDRAW payloads and SENDSAFE payloads distributed by CHANITOR have used a shared packer that we refer to as LONGFALL. LONGFALL, which is also known as CryptOne, has been used with a variety of malware families.
- The WICKER stealer has been used in both CHANITOR-related post-exploitation activity and COLDDRAW incidents, including samples sharing the same command and control (C&C) server.
- Payloads distributed through CHANITOR and payloads identified in COLDDRAW ransomware incidents have masqueraded as the same legitimate applications including mDNSResponder and Java.
- Public reporting has also highlighted some overlaps between COLDDRAW and ZEPPELIN, another ransomware that has reportedly been distributed via CHANITOR.
As the number of vulnerabilities identified and publicly disclosed continues to increase year after year, Mandiant has also observed an increase in the use of vulnerabilities as an initial compromise vector by ransomware threat actors including utilizing both zero-day and n-day vulnerabilities in their activity; notable examples include UNC2447 and FIN11. Shifting towards vulnerabilities for initial access could offer threat actors more accurate targeting and higher success rates when compared to malicious email campaigns, which rely more on uncontrollable factors, such as victims’ interacting with malicious links or documents. The rise in zero-day usage specifically could be reflective of significant funds and resources at the disposal of ransomware operators, which are being directed towards exploit research and development or the purchasing of exploits from trusted brokers. However, threat actors do not have to use zero-days to be effective. A subset of n-day vulnerabilities are often considered attractive targets for threat actors due to their impact of publicly exposed products, ability to facilitate code execution after successful exploitation, and the availability of significant technical details and/or exploit code in public venues. As the number of vulnerabilities publicly disclosed continues to rise, we anticipate threat actors, including ransomware operators, to continue to exploit vulnerabilities in their operations.
With thanks to Thomas Pullen and Adrian Hernandez for technical research, and Nick Richard for technical review.
Mandiant has observed COLDDRAW activity involving the following techniques in COLDDRAW intrusions:
ATT&CK Tactic Category
T1190: Exploit Public-Facing Application
T1010: Application Window Discovery
T1012: Query Registry
T1016: System Network Configuration Discovery
T1018: Remote System Discovery
T1033: System Owner/User Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1087: Account Discovery
T1518: Software Discovery
T1486: Data Encrypted for Impact
T1489: Service Stop
T1074.002: Remote Data Staging
T1027: Obfuscated Files or Information
T1055: Process Injection
T1055.003: Thread Execution Hijacking
T1070.004: File Deletion
T1112: Modify Registry
T1134: Access Token Manipulation
T1134.001: Token Impersonation/Theft
T1140: Deobfuscate/Decode Files or Information
T1497.001: System Checks
T1553.002: Code Signing
T1564.003: Hidden Window
T1574.011: Services Registry Permissions Weakness
T1620: Reflective Code Loading
T1098: Account Manipulation
T1136: Create Account
T1136.001: Local Account
T1543.003: Windows Service
Command and Control
T1071.001: Web Protocols
T1095: Non-Application Layer Protocol
T1105: Ingress Tool Transfer
T1573.002: Asymmetric Cryptography
T1583.003: Virtual Private Server
T1587.003: Digital Certificates
T1588.003: Code Signing Certificates
T1608.001: Upload Malware
T1608.002: Upload Tool
T1608.003: Install Digital Certificate
T1608.005: Link Target
T1053: Scheduled Task/Job
T1059: Command and Scripting Interpreter
T1129: Shared Modules
T1569.002: Service Execution
T1021.001: Remote Desktop Protocol
T1555.003: Credentials from Web Browsers
Mandiant Security Validation
In addition to previously released Actions, the Mandiant Security Validation (Validation) Behavior Research Team (BRT) has created VHR20220223, which will also be released today, for tactics associated with UNC2596.
A102-561, Malicious File Transfer - TERMITE, Download, Variant #3
A102-560, Malicious File Transfer - TERMITE, Download, Variant #4
A102-559, Command and Control - TERMITE, DNS Query, Variant #1
A102-558, Malicious File Transfer - WEDGECUT, Download, Variant #1
A102-557, Malicious File Transfer - TERMITE, Download, Variant #2
A102-556, Malicious File Transfer - TERMITE, Download, Variant #1
A102-555, Malicious File Transfer - BURNTCIGAR, Download, Variant #4
A102-554, Malicious File Transfer - BURNTCIGAR, Download, Variant #3
A102-553, Malicious File Transfer - BURNTCIGAR, Download, Variant #2
A102-552, Malicious File Transfer - BURNTCIGAR, Download, Variant #1
A102-572, Malicious File Transfer - BUGHATCH, Download, Variant #4
A102-551, Malicious File Transfer - BUGHATCH, Download, Variant #3
A102-550, Malicious File Transfer - BUGHATCH, Download, Variant #2
A102-549, Malicious File Transfer - BUGHATCH, Download, Variant #1
A101-830 Command and Control - COLDDRAW, DNS Query
A101-831 Malicious File Transfer - COLDDRAW, Download, Variant #2
A101-832 Malicious File Transfer - COLDDRAW, Download, Variant #3
A101-833 Malicious File Transfer - COLDDRAW, Download, Variant #4
A101-834 Malicious File Transfer - COLDDRAW, Download, Variant #5
A101-835 Malicious File Transfer - COLDDRAW, Download, Variant #6
A104-800 Protected Theater - COLDDRAW, Execution
A151-079 Malicious File Transfer - COLDDRAW, Download, Variant #1
A100-308 Malicious File Transfer - CHANITOR, Download
A100-309 Command and Control - CHANITOR, Post System Info
A150-008 Command and Control - CHANITOR, Check-in and Response
A150-047 Malicious File Transfer - CHANITOR, Download, Variant #2
A150-306 Malicious File Transfer - CHANITOR, Download, Variant #1
The following YARA rules are not intended to be used on production systems or to inform blocking rules without first being validated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of false positives. These rules are intended to serve as a starting point for hunting efforts to identify samples, however, they may need adjustment over time if the malware family changes.
Packer cert CN
Packer cert md5
Exchange Payload test.hta