Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

Cyber Security

Dec 04, 2023NewsroomRansomware / Cyber Attack

Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.

The DanaBot infections led to “hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware,” the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).

DanaBot, tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that’s capable of acting as a stealer and a point of entry for next-stage payloads.

UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021.

Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The change to DanaBot is likely the result of a coordinated law enforcement operation in August 2023 that took down QakBot’s infrastructure.

“The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering,” Redmond further noted.

The credentials harvested by the malware are transmitted to an actor-controlled server, which is followed by lateral movement via RDP sign-in attempts and ultimately handing off access to Storm-0216.

The disclosure comes days after Arctic Wolf revealed another set of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in a data analytics platform called Qlik Sense to gain access to corporate networks.

It also follows the discovery of a new macOS ransomware strain dubbed Turtle that’s written in the Go programming language and is signed with an adhoc signature, thereby preventing it from being executed upon launch due to Gatekeeper protections.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

Samsung Galaxy S25+, Galaxy S25 Ultra Reportedly Listed on BIS, Could Launch in India Soon
Adobe Develops SlimLM That Can Process Documents Locally on Devices Without Internet Connectivity
Samsung Foldable Gaming Console Design Revealed in Patent Document: How it Works
Xbox Cloud Gaming Now Allows Game Pass Ultimate Members to Stream Select Games They Own
Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites