CactusTorch abuses .NET to infect systems

CactusTorch abuses .NET to infect systems

Researchers from McAfee Labs have spotted a significant spike in a fileless cyber threat dubbed CactusTorch. 

CactusTorch uses trusted Windows executables, instead of external malware, to attack target systems. Fileless attacks make it much harder to detect by security monitoring systems.

McAfee said they have seen rapid growth in the use of CactusTorch and the number of variants since early 2018. 

One of the CactusTorch fileless attacks uses the “DotNetToJScript” technique as McAfee describes: 

“These assemblies are the smallest unit of deployment of an application, such as a .dll or .exe. As with other fileless attack techniques, DotNetToJScript does not write any part of the malicious .NET assembly on a computer’s hard drive; hence traditional file scanners fail to detect these attacks.” 

McAfee suggested their Endpoint Security (ENS) and Host Intrusion Prevention System (HIPS) products can protect customers from this class of fileless attack via Signature ID 6118.