Microsoft has warned of a new wave of CACTUS ransomware assaults that leverage malvertising lures to deploy DanaBot as an preliminary entry vector.
The DanaBot infections led to “hands-on-keyboard action by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware,” the Microsoft Threat Intelligence group said in a collection of posts on X (previously Twitter).
DanaBot, tracked by the tech huge as Storm-1044, is a multi-practical tool along the traces of Emotet, TrickBot, QakBot, and IcedID that’s capable of acting as a stealer and a place of entry for following-phase payloads.
UNC2198, for its aspect, has been previously observed infecting endpoints with IcedID to deploy ransomware people this kind of as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021.
Per Microsoft, the threat actor has also taken gain of original entry furnished by QakBot infections. The change to DanaBot is likely the result of a coordinated regulation enforcement procedure in August 2023 that took down QakBot’s infrastructure.
“The current Danabot campaign, first noticed in November, appears to be making use of a non-public version of the details-stealing malware alternatively of the malware-as-a-provider giving,” Redmond further more famous.
The qualifications harvested by the malware are transmitted to an actor-managed server, which is adopted by lateral motion by way of RDP signal-in attempts and ultimately handing off accessibility to Storm-0216.
The disclosure comes times just after Arctic Wolf exposed one more established of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in a info analytics platform referred to as Qlik Feeling to attain entry to company networks.
It also follows the discovery of a new macOS ransomware strain dubbed Turtle that is written in the Go programming language and is signed with an adhoc signature, thus protecting against it from currently being executed upon launch thanks to Gatekeeper protections.
Discovered this short article intriguing? Follow us on Twitter and LinkedIn to browse more exclusive content we article.
Some parts of this article are sourced from:
thehackernews.com