CactusTorch Fileless Malware
CactusTorch is fileless malware that executes malicious code on the infected devices.
At the time of publication, CactusTorch has been spread via drive-by-downloads. The source code has been made available on public repositories.
When executed, CactusTorch is injected into a DLL or EXE binary, which stays in memory without being written to the hard drive. It then launches a program called DotNetToJScript, which exploits vulnerabilities in Microsoft’s Component Object Model (COM) to expose some trusted .NET libraries that a typical Windows client will have. DotNetToJScript attaches .NET assemblies to the trusted libraries, which enable remote code execution.
The DotNetToJScript tool kit is never shipped with malware. The only component created is the output JavaScript file, which is executed on the target system by the script host (wscript.exe).
This year, our team has seen rapid growth in the use of #CactusTorch, which uses the DotNetToJScript. Learn why these types of attacks are most difficult to detect. https://t.co/VScJHtKdZA
— McAfee Labs (@McAfee_Labs) 2 August 2018
In 2018 there has been a rapid growth in the use of CactusTorch, which can execute custom shellcode on Windows system (see image below).
Hashes
- 4CF9863C8D60F7A977E9DBE4DB270819
- 5EEFBB10D0169D586640DA8C42DD54BE
- 69A2B582ED453A90CC06345886F03833
- 74172E8B1F9B7F9DB600C57E07368B8F
- 86C47B9E0F43150FEFF5968CF4882EBB
- 89F87F60137E9081F40E7D9AD5FA8DEF
- 8A33BF71E8740BDDE23425BBC6259D8F
- 8DCCC9539A499D375A069131F3E06610
- 924B7FB00E930082CE5B96835FDE69A1
- B60E085150D53FCE271CD481435C6E1E
- BC7923B43D4C83D077153202D84EA603
- C1A7315FB68043277EE57BDBD2950503
- D2095F2C1D8C25AF2C2C7AF7F4DD4908
- D5A07C27A8BBCCD0234C81D7B1843FD4
- E0573E624953A403A2335EEC7FFB1D83
- E1677A25A047097E679676A459C63A42
- F0BC5DFD755B7765537B6A934CA6DBDC
- F6526E6B943A6C17A2CC96DD122B211E
- CDB73CC7D00A2ABB42A76F7DFABA94E1
- D4EB24F9EB1244A5BEAA19CF69434127
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.