Threat Research

Cactus Ransomware: New strain in the market

Securonix

Cactus ransomware has rolled out a new strain in the market, leveraging VPN vulnerabilities and a supply-chain style approach to gain access, move laterally, and encrypt data while leaking it if not paid. The report maps the attack chain to MITRE techniques, describes tools and TTPs used (including AnyDesk, PSnmap, and RClone), and lists IOCs such as file names, hashes, and a C2 IP. #CVE-2023-38035 #CactusRansomware

Keypoints

  • Cactus ransomware is a double-extortion threat that has targeted 100+ entities by April 2024.
  • Initial access is via exploiting VPN vulnerabilities (CVE-2023–38035) and public-facing applications (T1190).
  • Persistence is achieved by creating an SSH backdoor and using scheduled tasks to maintain access.
  • Network discovery involves scanning for IPs and users (PSnmap), followed by domain account and account discovery.
  • Lateral movement uses AnyDesk/Splashtop for persistence and C2, with Chisel/Cobalt Strike for covert communication.
  • Credential dumping from LSASS and browsers, plus disabling antivirus and creating new admin accounts, enable full control.
  • Exfiltration to cloud storage via RClone precedes the ransomware payload, which encrypts files (AES-256 + RSA-4096) and drops ransom notes.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – “Initial entry point of Cactus ransomware is via exploiting VPN vulnerabilities (CVE-2023–38035). Using public facing applications to enter into internal n/w (T1190). MITRE ATT&CK — T1190 — Exploit Public-Facing Application”
  • [T1053] Scheduled Task/Job – “After getting initial access to the network, the attacker creates an SSH backdoor for C2 server with task schedule to keep persistence.” MITRE ATT&CK — T1053 — Scheduled Task/Job
  • [T1078.002] Domain Accounts – “Once the persistent tactic is implemented, the attacker scans the network to get a list of all the IP addresses and a list of all Users inside the network to infect the maximum machines.” MITRE ATT&CK — T1078.002 — Domain Accounts
  • [T1087] Account Discovery – “SoftPerfect network scanner or PSNmap tool (PSnmap.ps1) has been used to scan the network and gather the IP list, identify users and check active machines by pinging.” MITRE ATT&CK — T1087 — Account Discovery
  • [T1018] Remote System Discovery – “SoftPerfect network scanner … to scan the network and gather the IP list” MITRE ATT&CK — T1018 — Remote System Discovery
  • [T1049] System Network Connections Discovery – “identify users and check active machines by pinging” MITRE ATT&CK — T1049 — System Network Connections Discovery
  • [T1570] Lateral Tool Transfer – “Install RMM tools like AnyDesk , Splashtop in victims machine to keep persistent access with C2 and deliver payloads.” MITRE ATT&CK — T1570 — Lateral Tool Transfer
  • [T1555.003] Credentials from Web Browsers – “For lateral movement, the attacker performs credential harvesting using LSASS credential dumping technique. The credentials are dumped from web browsers and also from files on disk.” MITRE ATT&CK — T1555.003 — Credentials from Web Browsers
  • [T1003] OS Credential Dumping – “the credentials are dumped from web browsers and also from files on disk.” MITRE ATT&CK — T1003 — OS Credential Dumping
  • [T1219] Remote Access Software – “For further C2 connection, the attacker uses Chisel (SOCKS5 proxy connection …)” MITRE ATT&CK — T1219 — Remote Access Software
  • [T1090] Proxy – “…SOCKS5 proxy connection on a secure channel … tunneling traffic through firewall for hidden communication” MITRE ATT&CK — T1090 — Proxy
  • [T1562.001] Disable or Modify Tools – “Once unauthorized privileged access … a batch script is executed to silently uninstall common AntiVirus software.” MITRE ATT&CK — T1562.001 — Disable or Modify Tools
  • [T1136] Create Account – “the attacker creates a new Admin User Account using the script, f1.bat.” MITRE ATT&CK — T1136 — Create Account
  • [T1567.002] Exfiltration to Cloud Storage – “exfiltration begins. The Attacker uses RClone, which is a command-line program for exfiltration on cloud storage.” MITRE ATT&CK — T1567.002 — Exfiltration to Cloud Storage
  • [T1471] Data Encrypted for Impact – “TotalExec.ps1 … the ransomware payload” and encryption described; MITRE ATT&CK — T1471 — Data Encrypted for Impact

Indicators of Compromise

  • [File hash] – D5E5980FEB1906D85FBD2A5F2165BAF7 (f1.bat) – associated with Ransom-Cactus
  • [File hash] – 91ACDFD491F3618BDB8D2AF77452A760 (f2.bat) – associated with Ransom-Cactus
  • [File hash] – 39FE99D2250954A0D5ED0E9FF9C41D81 (1.exe) – Ransom-Cactus payload
  • [File hash] – 26f3a62d205004fbc9c76330c1c71536 (TotalExec.ps1) – remote execution component
  • [File hash] – D4EEDAD29418CA69303B00D5B80093FC (ntuser.dat) – artifact
  • [File hash] – d9f15227fefb98ba69d98542fbe7e568 (AnyDesk.exe) – remote access tool used
  • [IP address] – 163.123.142.213 (C2 server)
  • [File name] – f1.bat, f2.bat, ntuser.dat, 1.exe, TotalExec.ps1, AnyDesk.exe – observed artifacts

Read more: https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint