Microsoft has issued a warning regarding a fresh wave of CACTUS ransomware attacks, which use malvertising lures to introduce DanaBot as a first-party access vector.
In a series of posts on X (formerly Twitter), the Microsoft Threat Intelligence team claimed that the DanaBot infections resulted in “hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware.”
DanaBot, identified by the tech giant as Storm-1044, is a multipurpose tool similar to TrickBot, IcedID, Emotet, and QakBot that can serve as both an entry point and a stealer for payloads intended for later stages.
As previously reported by Google-owned Mandiant in February 2021, UNC2198 has been observed to infect endpoints with IcedID to deploy ransomware families like Maze and Egregor.
Microsoft claims that the threat actor has also profited from the first access that QakBot infections gave it. The August 2023 coordinated law enforcement operation that brought down QakBot’s infrastructure is probably what changed to become DanaBot.
“The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering,” Redmond added.
After the malware harvests credentials, it sends them to a server under actor control, moves laterally through RDP sign-in attempts, and finally grants Storm-0216 access.
The announcement coincides with the revelation by Arctic Wolf a few days ago of another group of CACTUS ransomware attacks that are actively taking advantage of serious flaws in the Qlik Sense data analytics platform to breach corporate networks.
It also comes after a new strain of macOS ransomware called Turtle was found. Turtle is signed with an ad-hoc signature and is written in the Go programming language. Because of Gatekeeper protections, it cannot be executed when it is launched.
CACTUS Ransomware Takes Advantage of Malvertising
Microsoft’s cybersecurity specialists have released a warning regarding a new wave of CACTUS ransomware attacks. Malvertising lures are being used in these attacks to introduce DanaBot as a first point of entry. The CACTUS ransomware was able to be deployed due to “hands-on-keyboard activity” that the Storm-0216 or Twisted Spider ransomware operator was able to perform thanks to the DanaBot infections.
DanaBot is a multipurpose tool that functions similarly to Emotet, TrickBot, QakBot, and IcedID. Microsoft is tracking it under the name Storm-1044. It can be used as a stealer as well as a way to get access to payloads that are part of a later stage. However, the threat actor in question, UNC2198, has been known to infect endpoints with IcedID to distribute families of ransomware like Maze and Egregor.
Microsoft claims that the reason behind the switch from QakBot to DanaBot is probably because of a concerted law enforcement action that took place in August 2023 and destroyed QakBot’s infrastructure. Rather than using the typical malware-as-a-service model, the Danabot campaign that was discovered in November appears to be using a private version of the information-stealing malware.
DanaBot sends the compromised credentials it has gathered to a server under threat actor control. After that, attempts to log in with RDP cause lateral movement, which in turn allows access to Storm-0216.
Microsoft’s disclosure follows shortly after Arctic Wolf revealed yet another wave of CACTUS ransomware attacks that are actively taking advantage of serious flaws in the well-known data analytics program Qlik Sense to breach corporate networks. These persistent cyber threats have the cybersecurity community on high alert.