New ransomware group CACTUS abuses remote management tools for persistence

A cybercriminal group has been compromising enterprise networks for the past two months and has been deploying a new ransomware program that researchers dubbed CACTUS. In the attacks seen so far the attackers gained access by exploiting known vulnerabilities in VPN appliances, moved laterally to other systems, and deployed legitimate remote monitoring and management (RMM) tools to achieve persistence on the network.

“The name ‘CACTUS’ is derived from the filename provided within the ransom note, cAcTuS.readme.txt, and the self-declared name within the ransom note itself,” researchers with Kroll Cyber Threat Intelligence said in a new report. “Encrypted files are appended with .cts1, although Kroll notes the number at the end of the extension has been observed to vary across incidents and victims. Kroll has observed exfiltration of sensitive data and victim extortion over the peer-to-peer messaging service known as Tox, but a known victim leak site was not identified at the time of analysis.”

CACTUS initial intrusion and lateral movement

In all the cases investigated by Kroll, the attackers gain their initial foothold on a VPN appliance using a service account and they then deployed a SSH backdoor that connected back to their command-and-control (C2) server and was executed via a scheduled task.

This activity was immediately followed by network reconnaissance using a commercial Windows network scanner made by an Australian company called SoftPerfect. Additional PowerShell commands and scripts were used to enumerate computers on the network and extract user accounts from the Windows Security event log. Another PowerShell-based network scanning script called PSnmap.ps1 has also been observed in some cases.

The group then dumps LSASS credentials and searches for local files that might contain passwords to identify accounts that could allow them to jump to other systems via remote desktop protocol (RDP) and other methods. To maintain persistence on the systems they compromised, the attackers deploy RMM tools like Splashtop, AnyDesk, and SuperOps, as well as the Cobalt Strike implant or the Chisel SOCKS5 proxy. The abuse of legitimate RMM tools is a common technique among threat actors.

“Chisel assists with tunneling traffic through firewalls to provide hidden communications to the threat actor’s C2 and is likely used to pull additional scripts and tooling onto the endpoint,” the Kroll researchers said. One such script uses the Windows msiexec tool to attempt to uninstall common antivirus programs. In one case the attackers even used the Bitdefender uninstall tool.

CACTUS ransomware deployment

Once the group has identified systems with sensitive data, it uses the Rclone tool to exfiltrate the information to cloud storage accounts and prepares to deploy the ransomware program. To do this it leverages a script called TotalExec.ps1 that has also been used by cybercriminals behind the BlackBasta ransomware.

First, the attackers deploy a batch script called f1.bat that creates a new admin user account on the system and adds a secondary script called f2.bat to the system’s autorun list. This script extracts the ransomware binary from a 7zip archive and executes it with a series of flags. The PsExec tool is also used to execute the binary on remote systems.

The ransomware binary has three execution modes based on the flags passed to it — setup, configuration and encryption. In setup mode it will create a file called C:ProgramDatantuser.dat that is filled with encrypted configuration data for the ransomware. It then creates a scheduled task that executes the ransomware.

When executed with the encryption flag, the ransomware binary will extract and decrypt a hardcoded RSA public key. It then starts generating AES keys for file encryption, and those keys are then encrypted with the RSA public key. The process leverages the Envelope implementation from the OpenSSL library, meaning the resulting encrypted file will also contain the encrypted AES key that was used to encrypt the file. To recover the AES key, the user needs the private RSA key, which is in the attackers’ hands.

The Kroll report includes a breakdown of tactics, techniques, and procedures (TTPs) according to the MITRE ATT&CK framework, along with indicators of compromise. The researchers recommend keeping publicly facing systems, such as VPN appliances up to date, implementing password managers and two-factor authentication, monitoring systems for PowerShell execution and logging its use, auditing administrator and service accounts, implementing the principles of least privileges and reviewing backup strategies to include at least one backup that’s isolated from the enterprise network.