CactusTorch Fileless malware abuses .NET

McAfee announced their findings on a fileless malware package called CactusTorch. This malware package uses .NET assemblies to execute their attack. CactusTorch, for instance, uses the DotNetToJScript technique and writes nothing to disk for anti-virus scanners to find. Compiling the DotNetToJScript tool on the victim’s system produces a .NET executable called DotNetToJScript.exe.

DotNetToJScript.exe takes a parameter, the hacker’s .NET assembly, and as its output, produces a JavaScript file, which is executed by wscript.exe. Attacks of this nature are notoriously difficult to track. Except for the malicious .NET assembly, all of the components are standard system components. Without a footprint on disk of the malware, traditional protection can only detect the attack in the system’s memory.



Recommendations
  • Keep applications and operating systems running at the current released patch level
  • Ensure anti-virus software and associated files are up to date
  • Verify, through a separate channel, the legitimacy of any unsolicited email attachments – delete without opening if you can’t validate
  • Search for existing signs of the indicated IOCs in your environment
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices

Indicators of compromise

MD5
4CF9863C8D60F7A977E9DBE4DB270819
5EEFBB10D0169D586640DA8C42DD54BE
69A2B582ED453A90CC06345886F03833
74172E8B1F9B7F9DB600C57E07368B8F
86C47B9E0F43150FEFF5968CF4882EBB
89F87F60137E9081F40E7D9AD5FA8DEF
8A33BF71E8740BDDE23425BBC6259D8F
8DCCC9539A499D375A069131F3E06610
924B7FB00E930082CE5B96835FDE69A1
B60E085150D53FCE271CD481435C6E1E
BC7923B43D4C83D077153202D84EA603
C1A7315FB68043277EE57BDBD2950503
CDB73CC7D00A2ABB42A76F7DFABA94E1
D2095F2C1D8C25AF2C2C7AF7F4DD4908
D4EB24F9EB1244A5BEAA19CF69434127
D5A07C27A8BBCCD0234C81D7B1843FD4
E0573E624953A403A2335EEC7FFB1D83
E1677A25A047097E679676A459C63A42
F0BC5DFD755B7765537B6A934CA6DBDC
F6526E6B943A6C17A2CC96DD122B211E

More information:

  • securingtomorrow.mcafee.com/mcafee-labs/cactustorch-fileless-threat-abuses-net-to-infect-victims/
  • exchange.xforce.ibmcloud.com/collection/CactusTorch-Infects-Victims-By-Abusing-NET-2c57152756bb1d8c6c4ca7236baf952b