{"id":90489,"date":"2018-07-26T06:00:32","date_gmt":"2018-07-26T13:00:32","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=90489"},"modified":"2025-05-28T23:01:47","modified_gmt":"2025-05-29T06:01:47","slug":"cactustorch-fileless-threat-abuses-net-to-infect-victims","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cactustorch-fileless-threat-abuses-net-to-infect-victims\/","title":{"rendered":"CactusTorch Fileless Threat Abuses .NET to Infect Victims"},"content":{"rendered":"

McAfee Labs has noticed a significant shift by some actors toward using trusted Windows executables, rather than external malware, to attack systems. One of the most popular techniques is a \u201cfileless\u201d attack.<\/a> Because these attacks are launched through reputable executables, they are hard to detect. Both consumers and corporate users can fall victim to this threat. In corporate environments, attackers use this vector to move laterally through the network.<\/p>\n

One fileless threat, CactusTorch, uses the DotNetToJScript technique, which loads and executes malicious .NET assemblies straight from memory. These assemblies are the smallest unit of deployment of an application, such as a .dll or .exe. As with other fileless attack techniques, DotNetToJScript does not write any part of the malicious .NET assembly on a computer\u2019s hard drive; hence traditional file scanners fail to detect these attacks.<\/p>\n

In 2018 we have seen rapid growth in the use of CactusTorch, which can execute custom shellcode<\/a> on Windows systems. The following chart shows the rise of CactusTorch variants in the wild.<\/p>\n

\"\"<\/a><\/p>\n

Source: McAfee Labs.<\/em><\/p>\n

The DotNetToJScript tool kit<\/strong><\/h2>\n

Compiling the DotNetToJScript tool gives us the .NET executable DotNetToJScript.exe, which accepts the path of a .NET assembly and outputs a JavaScript file.<\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

Figure 1: Using DotNetToJScript.exe to create a malicious JavaScript file. <\/em><\/p>\n

The DotNetToJScript tool kit is never shipped with malware. The only component created is the output JavaScript file, which is executed on the target system by the script host (wscript.exe). For our analysis, we ran some basic deobfuscation and found CactusTorch<\/a>, which had been hidden by some online tools:<\/p>\n

\"\"<\/a><\/p>\n

Figure 2: CactusTorch code.<\/em><\/p>\n

Before we dive into this code, we need to understand .NET and its COM exposure. When we install the .NET framework on any system, several .NET libraries are exposed via Microsoft\u2019s Component Object Model (COM).<\/p>\n

\"\"<\/a><\/p>\n

Figure 3: COM exposing the .NET library System.Security.Cryptography.FromBase64Transform.<\/em><\/p>\n

If we look at the exposed interfaces, we can see IDispatch, which allows the COM object to be accessed from the script host or a browser.<\/p>\n

\"\"<\/a><\/p>\n

Figure 4: Exposed interfaces in a .NET library.<\/em><\/p>\n

To execute malicious code using the DotNetToJScript vector, an attack uses the following COM objects:<\/p>\n