Microsoft has issued a warning about a new wave of CACTUS ransomware attacks that use malvertising lures to deploy DanaBot as the first access vector
The DanaBot infections resulted in “hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware,” according to a series of posts on X by the Microsoft Threat Intelligence team.
DanaBot, also known as Storm-1044 by the tech giant, is a multi-functional tool similar to Emotet, TrickBot, QakBot, and IcedID that can act as a stealer and a point of entry for next-stage payloads. UNC2198, for its part, has previously been observed infecting endpoints with IcedID in order to deploy ransomware families such as Maze and Egregor, as detailed in February 2021 by Google-owned Mandiant.
According to Microsoft, the threat actor also took advantage of the initial access provided by QakBot infections. As a result, the switch to DanaBot is most likely the result of a coordinated law enforcement operation in August 2023 that brought down QakBot’s infrastructure.
“The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering,” Redmond also noted.
The malware sends the credentials it has collected to an actor-controlled server, which is then followed by lateral movement via RDP sign-in attempts and finally handing over access to Storm-0216.
The announcement comes just days after Arctic Wolf revealed another set of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in the Qlik Sense data analytics platform to gain access to corporate networks.
It also comes on the heels of the discovery of Turtle, a new macOS ransomware strain written in the Go programming language and signed with an adhoc signature, which prevents it from being executed upon launch due to Gatekeeper protections.