Fileless Threat CactusTorch Abuses .NET to Infect Systems

Over the past several months, security researchers have observed increased activity from a malware threat called CactusTorch that uses fileless techniques and reputable Windows executables to avoid detection.

The malware program loads shellcode directly in a computer’s memory and does not create any files on disk. This is a detection evasion technique that creates problems for security products and has become popular with cybercriminals over the past few years.

According to an analysis by researchers from antivirus firm McAfee, CactusTorch is written in .NET, but the executable code is then converted to JavaScript via a tool called DotNetToJScript.

This allows attackers to deliver the malware’s assembly as JavaScript code and to execute it through the Script Host (wscript.exe), a legitimate Windows service that’s trusted by antivirus programs. The script then uses other techniques to spawn a process and load the malicious shellcode directly into its memory where it’s executed.

“Fileless malware takes advantage of the trust factor between security software and genuine, signed Windows applications,” the McAfee researchers said in a blog post. “Because this type of attack is launched through reputable, trusted executables, these attacks are hard to detect.”

While CactusTorch is not new and has been observed in the wild since at least April 2017, McAfee’s telemetry shows a high increase in the number of variants in 2018, culminating in June with almost 40 samples. This suggests the malware’s creators are very active and their infection technique is successful enough for them to keep using it.

New Exploit Kit Underminer Delivers Bootkit

Security researchers from Trend Micro have identified a new drive-by exploit kit that infects computers with a boot-level rootkit and cryptocurrency malware.

Exploit kits are web-based attack tools that exploit vulnerabilities in browsers and browser plug-ins such as Adobe Flash Player, Java and Silverlight. These attacks are typically launched from compromised websites or through malicious advertisements.

The prevalence of drive-by download attacks has decreased in recent years, as attackers switched to other delivery mechanisms such as phishing emails with malicious Office attachments. This is why the discovery of a new exploit kit is surprising.

Underminer exploits a Flash Player vulnerability known as CVE-2018-4878 that was patched in February and two much older flaws: one affecting Internet Explorer that was patched in May 2016 (CVE-2016-0189) and one in Flash Player that was patched in April 2015 (CVE-2015-5119).

The use of these two much older exploits suggests that there are still a large number of systems out there with outdated software and missing patches and attackers are confident they can infect them.

Underminer uses various techniques that are meant to make analysis by security researchers harder, but the most interesting aspect is that it installs malware code into the system’s boot sectors—hence the name bootkit. Boot rootkits are hard to remove because they start before the OS and any antivirus programs installed in it and they are the reason why Microsoft introduced the SecureBoot feature.

Underminer’s second payload is a cryptocurrency mining program known as Hidden Mellifera that first appeared in May and has infected more than 500,000 systems to date. Hidden Mellifera’s creators are also linked to a browser-hijacking trojan called Hidden Soul and the Trend Micro researchers believe they also created Underminer.

So far, attacks with this exploit kit have been delivered through malicious advertisements and have primarily targeted users in Asia. The most affected countries are Japan, Taiwan and South Korea, but the threat has also been observed in non-Asian countries.

“Exploit kits may be taking a backseat for now, but Underminer shows that they are still relevant threats,” the researchers said in a blog post. “They underscore the real-life significance—and to many businesses, a perennial challenge—of patching. For organizations, exploit kits can entail a race against time. Vulnerabilities can be disclosed at any given time, and their window of exposure can open up unpatched systems—and personal or business-critical data stored in them—to unauthorized access or modification.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin