Cactus Ransomware Develops New Tactic to Outsmart Antivirus Software by Encrypting Itself - 1

Cactus Ransomware Develops New Tactic to Outsmart Antivirus Software by Encrypting Itself

  • Written by Ari Denial Cybersecurity & Tech Writer

According to a report by Kroll, cybersecurity researchers have identified a new strain of ransomware called CACTUS that uses known vulnerabilities in VPN appliances to infiltrate targeted networks. Once inside, the ransomware attempts to identify local and network user accounts and endpoints before creating new user accounts and deploying the ransomware encryptor using custom scripts and scheduled tasks.

Kroll investigators have reported that the Cactus ransomware uses encryption to protect its binary and prevent detection. The ransomware uses a batch script to extract the binary with 7-Zip and deploy it with a specific flag for execution.

Kroll researchers have revealed that the Cactus ransomware evades detection and bypasses antivirus and network monitoring tools by using a unique AES key that is hardcoded into its binary. The ransomware has three execution modes and uses the AES key to decrypt the configuration file and RSA key required for file encryption.

Running the binary with the correct key for the -i encryption parameter enables the ransomware to start a multi-thread encryption process and search for files. A diagram has been created by Kroll to demonstrate how the Cactus ransomware binary executes depending on the selected parameter.

According to ransomware expert Michael Gillespie, the Cactus ransomware uses multiple file extensions depending on the processing state of the file. Before encryption, the extension is changed to .CTS0, and after encryption, it becomes .CTS1. Cactus also has a quick mode, which results in the same file being encrypted twice and appending a new extension after each process. In various incidents involving the Cactus ransomware, Kroll has noticed that the number at the end of the .CTS extension differs.

A threat actor gained access to a network and maintained persistent access through an SSH backdoor connected to a command and control (C2) server. The attacker used SoftPerfect Network Scanner to find targets, PowerShell commands to gather information, and a modified version of PSnmap Tool for deeper reconnaissance.

FluHorse Malware Targets Android Devices, Steals Sensitive Data and Passwords - 2

FluHorse Malware Targets Android Devices, Steals Sensitive Data and Passwords

  • Written by Ari Denial Cybersecurity & Tech Writer

Check Point Research, a cybersecurity firm, has recently identified a new Android malware strain named “FluHorse,” which is designed to target users in Eastern Asia through the use of malicious apps that mimic legitimate versions.

The “FluHorse” Android malware has been actively targeting various industries in Eastern Asia since May 2022, and it is distributed via email with the aim of stealing sensitive data like banking information, passwords, and 2FA codes. The attack starts with an email sent to high-profile targets, urging them to address a payment-related issue, and leads the victim to a phishing site via a link. Upon downloading the fake app APK, the app can steal sensitive data.

Among the phony apps are ETC, a toll-collection app in Taiwan, and VPBank Neo, a Vietnamese banking app, both of which have more than 1 million downloads from Google Play Store. Additionally, Check Point Research found that the malware campaign also uses a fake transport app with 1,00,000 installs, although it was not named.

The malware campaign uses fake apps that mimic the GUI of legitimate apps but have limited functionality, with only a few windows to capture the victim’s information. Once the malware captures the victim’s data, the fake app displays a “system is busy” message for approximately 10 minutes to make the process appear more realistic while the operators behind the attack attempt to intercept 2FA codes and leverage the stolen data.

The malware was developed in Dart using the Flutter platform, making it challenging to reverse engineer and decompile, and the Flutter runtime for ARM uses its own stack pointer register, adding to the complexity of the analysis.

CheckPoint’s analysis of the malware campaign revealed that the use of a non-standard register for the Flutter runtime on ARM made it difficult to generate accurate pseudocode during the decompiling process.

Despite this challenge, the researchers were able to identify the functions responsible for stealing victims’ data and communicating with the command-and-control (C2) server. CheckPoint also warns that the campaign is ongoing and that new malicious apps and infrastructure are appearing regularly, posing an active threat to Android users.