Microsoft has issued a warning regarding a new wave of CACTUS ransomware attacks that utilize malvertising lures to deploy DanaBot as the initial access vector. The DanaBot infections subsequently lead to hands-on-keyboard activity by the ransomware operator Storm-0216, also known as Twisted Spider or UNC2198. This activity culminates in the deployment of the CACTUS ransomware.
DanaBot, identified as Storm-1044 by Microsoft, is a multifunctional tool capable of acting as a stealer and a point of entry for next-stage payloads, akin to other notorious malware such as Emotet, TrickBot, QakBot, and IcedID. The threat actor UNC2198 has been previously observed infecting endpoints with IcedID to deploy various ransomware families, including Maze and Egregor.
Microsoft suggests that the shift to DanaBot is likely a result of a coordinated law enforcement operation in August 2023 that took down QakBot’s infrastructure. The current DanaBot campaign, first observed in November, seems to be using a private version of the info-stealing malware rather than the malware-as-a-service offering.
The credentials stolen by DanaBot are transmitted to an actor-controlled server, leading to lateral movement via RDP sign-in attempts and ultimately providing access to Storm-0216. This warning from Microsoft comes on the heels of Arctic Wolf’s revelation about another set of CACTUS ransomware attacks exploiting critical vulnerabilities in the Qlik Sense data analytics platform. These attacks aim to gain access to corporate networks. Additionally, a new macOS ransomware strain called Turtle, written in the Go programming language and signed with an adhoc signature to bypass Gatekeeper protections, has recently been discovered. The collective emergence of these threats highlights the persistent and evolving nature of cybersecurity challenges, emphasizing the importance of robust defense measures.