Microsoft has warned of a new wave of CACTUS ransomware attacks that use malicious ads to get into computers and use DanaBot as their first point of entry.
The DanaBot infections caused “hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware,” the Microsoft Threat Intelligence team wrote in a series of posts on X (formerly Twitter).
The tech giant is keeping an eye on DanaBot, which is a multifunctional tool like Emotet, TrickBot, QakBot, and IcedID. It can be used as a stealth tool or as a way to get to more advanced payloads.
Mandiant, a company owned by Google, wrote in February 2021 that UNC2198 had been seen attacking targets with IcedID to install ransomware families like Maze and Egregor.
Microsoft says that the threat actor has also used the initial access that QakBot attacks gave them. Because of this, the switch to DanaBot was probably caused by a planned police action in August 2023 that shut down QakBot’s infrastructure.
“The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering,” Redmond said more.
The malware gets user credentials and sends them to a computer owned by an actor. From there, the attacker moves laterally by trying to sign in via RDP and finally gives Storm-0216 access.
This news comes just a few days after Arctic Wolf uncovered another group of CACTUS ransomware attacks that are actively taking advantage of major flaws in a data analytics platform called Qlik Sense to get into business networks.
It also comes after the finding of a new type of macOS ransomware called Turtle. Turtle is written in the computer language Go and has an ad-hoc signature, which stops it from being executed when it starts up because of Gatekeeper protections.
