Microsoft has warned of a brand new wave of CACTUS ransomware assaults that leverage malvertising lures to deploy DanaBot as an preliminary entry vector.
The DanaBot infections led to “hands-on-keyboard exercise by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating within the deployment of CACTUS ransomware,” the Microsoft Menace Intelligence group mentioned in a collection of posts on X (previously Twitter).
DanaBot, tracked by the tech large as Storm-1044, is a multi-functional instrument alongside the strains of Emotet, TrickBot, QakBot, and IcedID that is able to appearing as a stealer and a degree of entry for next-stage payloads.
UNC2198, for its half, has been beforehand noticed infecting endpoints with IcedID to deploy ransomware households equivalent to Maze and Egregor, as detailed by Google-owned Mandiant in February 2021.
Per Microsoft, the menace actor has additionally taken benefit of preliminary entry offered by QakBot infections. The change to DanaBot is probably going the results of a coordinated legislation enforcement operation in August 2023 that took down QakBot’s infrastructure.
“The present Danabot marketing campaign, first noticed in November, seems to be utilizing a non-public model of the info-stealing malware as an alternative of the malware-as-a-service providing,” Redmond additional famous.
The credentials harvested by the malware are transmitted to an actor-controlled server, which is adopted by lateral motion by way of RDP sign-in makes an attempt and in the end handing off entry to Storm-0216.
The disclosure comes days after Arctic Wolf revealed one other set of CACTUS ransomware assaults which can be actively exploiting crucial vulnerabilities in an information analytics platform referred to as Qlik Sense to achieve entry to company networks.
It additionally follows the invention of a brand new macOS ransomware pressure dubbed Turtle that is written within the Go programming language and is signed with an adhoc signature, thereby stopping it from being executed upon launch as a result of Gatekeeper protections.