Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an original access vector.
The DanaBot bacterial infections led to “hands-on-keyboard action by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware,” the Microsoft Risk Intelligence workforce explained in a collection of posts on X (formerly Twitter).
DanaBot, tracked by the tech giant as Storm-1044, is a multi-purposeful software together the lines of Emotet, TrickBot, QakBot, and IcedID which is able of performing as a stealer and a position of entry for following-stage payloads.
UNC2198, for its aspect, has been earlier observed infecting endpoints with IcedID to deploy ransomware families these kinds of as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021.
Per Microsoft, the danger actor has also taken edge of preliminary access supplied by QakBot infections. The transform to DanaBot is likely the end result of a coordinated law enforcement procedure in August 2023 that took down QakBot’s infrastructure.
“The recent Danabot campaign, first observed in November, appears to be utilizing a private variation of the data-thieving malware as a substitute of the malware-as-a-services offering,” Redmond even more pointed out.
The qualifications harvested by the malware are transmitted to an actor-controlled server, which is adopted by lateral movement by way of RDP indication-in makes an attempt and in the end handing off accessibility to Storm-0216.
The disclosure comes times soon after Arctic Wolf revealed yet another established of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in a details analytics system named Qlik Feeling to acquire accessibility to corporate networks.
It also follows the discovery of a new macOS ransomware strain dubbed Turtle that’s penned in the Go programming language and is signed with an adhoc signature, thereby stopping it from becoming executed upon launch because of to Gatekeeper protections.
Observed this short article appealing? Observe us on Twitter and LinkedIn to study much more distinctive content we submit.
Some components of this report are sourced from: