Cactus Ransomware, BlackSuit, and more: Hacker’s Playbook Threat Coverage Round-up: June 29, 2023

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added coverage for several recently discovered or analyzed ransomware and malware variants, including Cactus ransomware and BlackSuit ransomware, amongst others. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. 

CACTUS Ransomware: What you need to know

Threat analysts from Kroll– a cyber risk advisory firm, identified a new ransomware variant, CACTUS that has been observed targeting large commercial organizations since March 2023. According to the researchers, the name CACTUS was chosen based on the ransom note “cAcTuS.readme.txt” where the threat actors self-identified themselves. This ransomware variant has been exploiting vulnerabilities in virtual private network (VPN) appliances to gain initial access to its victims. It’s important to know that:

• Its use of encryption to protect the ransomware binary sets it apart from other threats of this nature. Threat actors use a batch script to obtain the encryptor binary using the popular file archiver, 7-Zip. According to the Kroll researchers, the original ZIP archive is removed, and the new encryptor binary is deployed with a specific flag that allows it to execute. This is done in order to prevent the ransomware encryptor from being detected. 
• There are 3 primary modes of execution, according to Kroll researchers. Each one is selected with the use of a specific command line switch: setup (-s), read configuration (-r), and encryption (-i). The -s and -r arguments allow the threat actors to set up persistence and store data in a C:\ProgramData\ntuser.dat file that is later read by the encryptor when running with the -r command line argument. 
• For the file encryption to be possible, though, a unique AES key known only to the attackers must be provided using the -i command line argument.
• The CACTUS ransomware uses multiple extensions for the files it targets, depending on the processing state. When preparing a file for encryption, Cactus changes its extension to .CTS0. After encryption, the extension becomes .CTS1. It is also believed that CACTUS also has a “quick mode,” which is similar to a light encryption pass. Running the malware in quick and normal mode consecutively results in encrypting the same file twice and appending a new extension after each process (e.g. .CTS1.CTS7).
• Once in the network, threat actors use a scheduled task for persistent access using an SSH backdoor reachable from the command and control (C2) server. For deeper reconnaissance, threat actors use PowerShell commands to identify vulnerable endpoints and user accounts that have recently completed a successful login. 

To launch its attack, the ransomware was observed using several legitimate tools, including Splashtop, AnyDesk, SuperOps RMM, etc. Post-privilege-escalation, CACTUS threat actors run a batch script to uninstall the most commonly used antivirus (AV) products. CACTUS threat actors steal data from victims and exfiltrate it straight to cloud storage. Post-exfiltration, the threat actors have been observed encrypting victim data. 

SafeBreach Coverage of CACTUS Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against CACTUS ransomware.

• #8877 – Email Cactus ransomware as a ZIP attachment (INFILTRATION)
• #8876 – Email Cactus ransomware as a ZIP attachment (LATERAL_MOVEMENT) 
• #8875 – Transfer of Cactus ransomware over HTTP/S (INFILTRATION) 
• #8874 – Transfer of Cactus ransomware over HTTP/S (LATERAL_MOVEMENT) 
• #8873 – Pre-execution phase of Cactus ransomware (Windows) (HOST_LEVEL) 
• #8872 – Write Cactus ransomware to disk (HOST_LEVEL)

JackalControl Malware: What you need to know

GoldenJackal, an APT group, has developed a collection of .NET malware tools known as Jackal. The Jackal toolset includes components such as JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher. GoldenJackal typically focuses its attacks on government and diplomatic entities primarily located in the Middle East and South Asia regions.

• JackalControl is a Trojan that allows attackers to remotely manipulate the targeted machine using a predetermined and supported command set. This malicious software empowers threat actors to run any desired program with specified arguments, retrieve files of their choice, save them to the local file system, and upload selected files from the local file system to the compromised machine. 
• JackalControl grants threat actors the power to disrupt operations, compromise privacy, and exploit the compromised victim machine for other malicious operations. It is believed that victims affected by JackalControl malware may experience unauthorized access to their systems, leading to data breaches, theft of sensitive information, and potential compromise of credentials. 
• Researchers believe that victims may get infected with JackalControl malware in one of two ways. Users may unknowingly download and execute a fake Skype installer named skype32.exe, which appears to be a legitimate Skype installation file. However, this file is a dropper containing the JackalControl Trojan and a genuine Skype for Business installer. Users who mistakenly run this file could unintentionally introduce malware onto their systems.
• Users could also become infected by opening a malicious Word document that utilizes a remote template injection technique, allowing a malicious HTML page to be downloaded on the victim’s computer. This HTML page exploits the Follina vulnerability, potentially allowing malware to be installed on the victim’s computer.

SafeBreach Coverage of JackalControl Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the malware variant.

• #8896 – Email JackalControl trojan as a ZIP attachment (INFILTRATION) 
• #8895 – Email JackalControl trojan as a ZIP attachment (LATERAL_MOVEMENT) 
• #8894 – Transfer of JackalControl trojan over HTTP/S (INFILTRATION) 
• #8893 – Transfer of JackalControl trojan over HTTP/S (LATERAL_MOVEMENT)
• #8892 – Pre-execution phase of JackalControl trojan (Windows) (HOST_LEVEL) 
• #8891 – Write JackalControl trojan to disk (HOST_LEVEL) 

BlackSuit Ransomware: What you need to know

A new ransomware variant that shares significant similarities to Royal ransomware has been observed targeting Windows and Linux operating system users. According to Trend Micro researchers, this ransomware is 98% similar in functions, 99.5% similar in blocks, and nearly 98.9% similar in jumps to the Royal ransomware variant. This ransomware was first identified by Unit42 researchers in May 2023 and runs a double extortion scheme that steals and encrypts sensitive data in a compromised network in return for monetary compensation. Data associated with a single victim has been listed on its dark web leak site.

Trend Micro researchers highlight that both BlackSuit and Royal use OpenSSL’s AES for encryption and utilize similar intermittent encryption techniques to speed up the encryption process. Additionally, BlackSuit incorporates additional command-line arguments and avoids a different list of files with specific extensions during enumeration and encryption.

SafeBreach Coverage of BlackSuit Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this ransomware variant:

• #8927 – Email BlackSuit ransomware as a ZIP attachment (INFILTRATION) 
• #8926 – Email BlackSuit ransomware as a ZIP attachment (LATERAL_MOVEMENT) 
• #8925 – Transfer of BlackSuit ransomware over HTTP/S (INFILTRATION) 
• #8924 – Transfer of BlackSuit ransomware over HTTP/S (LATERAL_MOVEMENT) 
• #8923 – Pre-execution phase of BlackSuit ransomware (Windows) (HOST_LEVEL) 
• #8922 – Write BlackSuit ransomware to disk (HOST_LEVEL) 

MoneyBird Ransomware: What you need to know

CheckPoint researchers have identified a new ransomware strain called MoneyBird while investigating a ransomware attack against an Israeli organization. Based on their research they believe that the TTPs leveraged in the attack were similar to those used by a threat actor known as Agrius. Agrius is an Iranian threat actor first identified in 2021 and has been involved on several ransomware and wiper attacks on Israeli organizations.

• This new ransomware variant is written in C++ and highlights the Agrius group’s improving capabilities in developing new malware variants. The name embedded within the ransomware sample reveals that the encryptor shares the same name that appears in the ransom note for the attack. 
• Threat actors initially gain access to corporate networks by exploiting vulnerabilities in public-facing servers, giving Agrius an initial foothold within the organization’s network. Following initial access, the threat actors hide behind ProtonVPN nodes to deploy variants of ASPXSpy webshells hidden inside “Certificate” text files.
• Once the webshells are deployed, attackers proceed to use open-source tools that help in network reconnaissance using SoftPerfect Network Scanner, lateral movement, secure communication using Plink/PuTTY, credential stealing with ProcDump, and the exfiltration of data using FileZilla.
• Upon launch, the C++ ransomware strain will encrypt target files using AES-256 with GCM (Galois/Counter Mode), generating unique encryption keys for every file and appending encrypted metadata at their end.

The cybersecurity community believes that Agrius intends to primarily disrupt business operations as opposed to locking down victim computers. The threat actors intend to use revenue generated from this ransomware operation to further their malicious activities.

SafeBreach Coverage of MoneyBird Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this ransomware variant:

• #8939 – Email Moneybird (afd94e) ransomware as a ZIP attachment (INFILTRATION) 
• #8938 – Email Moneybird (afd94e) ransomware as a ZIP attachment (LATERAL_MOVEMENT) 
• #8937 – Transfer of Moneybird (afd94e) ransomware over HTTP/S (INFILTRATION) 
• #8936 – Transfer of Moneybird (afd94e) ransomware over HTTP/S (LATERAL_MOVEMENT)
• #8935 – Pre-execution phase of Moneybird (afd94e) ransomware (Windows) (HOST_LEVEL)
• #8934 – Write Moneybird (afd94e) ransomware to disk (HOST_LEVEL) – Automation
• #8933 – Email Moneybird ransomware as a ZIP attachment (INFILTRATION) 
• #8932 – Email Moneybird ransomware as a ZIP attachment (LATERAL_MOVEMENT) 
• #8931 – Transfer of Moneybird ransomware over HTTP/S (INFILTRATION) 
• #8930 – Transfer of Moneybird ransomware over HTTP/S (LATERAL_MOVEMENT) 
• #8929 – Pre-execution phase of Moneybird ransomware (Windows) (HOST_LEVEL) 
• #8928 – Write Moneybird ransomware to disk (HOST_LEVEL) 

Protecting against advanced ransomware with Breach and Attack Simulation (BAS)

SafeBreach now offers a complimentary and customized real-world ransomware assessment (RansomwareRx) that can allow you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training – Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment – Review goals and ensure simulation connection to our management console and all configurations are complete.
• Attack Scenario – Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report – Receive a custom-built report that includes simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.