New tactics, techniques, and procedures, as well as a novel local privilege escalation tool and remote access trojan, have been used by Cuba ransomware
affiliate Tropical Scorpius in new attacks, BleepingComputer
While Tropical Scorpius has leveraged the same Cuba ransomware payload since the operation's launch in 2019, the threat actor has begun using a legitimate but invalidated NVIDIA certificate for kernel driver signing aimed at identifying and terminating security product processes, a report from Palo Alto Networks Unit 42 showed.
Moreover, a local privilege escalation tool with an exploit for the Windows Common Log File System Driver vulnerability, tracked as CVE-2022-24521, is retrieved by the attacker prior to ADFind and Net Scan usage for lateral movement. Tropical Scorpius has also leveraged a ZeroLogon hacking tool for domain administrator privileges.
Meanwhile, the attacker's new ROMCOM RAT malware facilitates the return of connective drive data and file listings, as well as ZIP file uploads to the command-and-control server, and more.