Microsoft has warned of a new wave of Cactus ransomware attacks that take advantage of the malware’s greed to deploy DanaBot as an initial access vector.
The DanaBot infections led to “hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware,” the Microsoft Threat Intelligence team said in a series of posts on Twitter.
DanaBot, tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that’s capable of acting as a stealer and a point of entry for next-stage payloads.
UNC2198, for its part, has previously been seen deploying ransomware families like Maze and Egregor to infect endpoints with IcedID, as detailed by Google-owned Mandiant in February 2021.
According to Microsoft, threat actors have also taken advantage of the early access provided by QakBot infections. Therefore, the change to DanaBot is likely the result of a coordinated law enforcement operation in August 2023 that destroyed QakBot’s infrastructure.
“The current Danabot campaign, first observed in November, appears to use a private version of information-stealing malware rather than offering the malware as a service,” Redmond said.
The credentials collected by the malware are transmitted to an actor-controlled server, followed by lateral movement via RDP sign-in attempts and ultimately granting access to Storm-0216.
The disclosure comes just days after Arctic Wolf disclosed another set of Cactus ransomware attacks that are actively exploiting critical vulnerabilities in a data analytics platform called Click Sense to gain access to corporate networks.
It also follows the discovery of a new macOS ransomware strain called Turtle that is written in the Go programming language and signed with an adhoc signature, which prevents it from executing on launch due to Gatekeeper protections.