Cuba Ransomware Operators Use Previously Unknown ROMCOM RAT


Palo Alto Networks reports that the Cuba ransomware operators have begun to use new tactics in their attacks, including the use of a previously unknown remote access trojan (RAT) called ROMCOM RAT.

Let me remind you that we reported that New Cuba Ransomware Variant Involves Double-Extortion Scheme.

In their report, the researchers talk about the hack group Tropical Scorpius, which, apparently, is a “partner” of the Cuba ransomware. Let me remind you that this ransomware has been known to security specialists since 2019. He was most active at the end of 2021, when he was linked to attacks on 60 organizations in five critical infrastructure sectors (including financial and public sector, healthcare, manufacturing and IT), as a result of which hackers received at least $ 43.9 million in the form of ransoms.

The last notable Cuba update was recorded in the first quarter of 2022, when malware operators switched to an updated version of the ransomware with finer settings and added quTox support to communicate with their victims.

As Palo Alto Networks analysts now say, the aforementioned Tropical Scorpius group uses a standard Cuba payload that hasn’t changed much since 2019. One of the few updates in 2022 involves the use of a legitimate but invalid Nvidia certificate (previously stolen from the company by Lapsus$ hackers) to sign the kernel driver, which is used in the initial stages of infection. The task of this driver is to detect processes belonging to security products and kill them to help attackers avoid detection.


Tropical Scorpius uses a local privilege escalation tool based on an exploit for CVE-2022-24521, which was patched in April 2022.

The next attack phase of Tropical Scorpius involves loading ADFind and Net Scan to perform a lateral movement. Along with this, the attackers deploy a tool on the victim’s network that helps them obtain cached Kerberos credentials. Also, hackers can use the tool to exploit the notorious Zerologon vulnerability (CVE-2020-1472) to obtain domain administrator privileges.

At the end of the attack, Tropical Scorpius operators finally deploy ROMCOM RAT malware on the victim network, which communicates with command and control servers through ICMP requests performed through Windows API functions.

ROMCOM RAT supports ten main commands:

  1. get information about the connected disk;
  2. get lists of files for the specified directory;
  3. run the reverse shell svchelper.exe in the %ProgramData% folder;
  4. upload data to the management server as a ZIP file using IShellDispatch to copy files;
  5. download data and write to worker.txt in the %ProgramData% folder;
  6. delete the specified file;
  7. delete the specified directory;
  8. create a process with PID spoofing;
  9. process only the ServiceMain received from the control server and “sleep” for 120,000 ms;
  10. traverse running processes and collect their IDs.

Experts note that Tropical Scorpius hackers compiled the latest version of ROMCOM and uploaded it to VirusTotal on June 20, 2022. This version contains ten additional commands, giving attackers more control over executing and downloading files and terminating processes.

In addition, the new version supports receiving additional payloads from the C&C server, such as the Screenshooter screenshot tool.


The researchers conclude that with the emergence of Tropical Scorpius, the Cuba ransomware is turning into a more serious threat, although in general this ransomware cannot boast of a large number of victims.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *