Microsoft has recently raised an alarm concerning a surge in CACTUS ransomware attacks. These attacks employ malvertising tactics to utilize DanaBot as the initial access point. The DanaBot infections eventually lead to manual keyboard activity by the ransomware operator identified as Storm-0216 (also known as Twisted Spider or UNC2198), which ultimately results in the deployment of CACTUS ransomware. This information was shared by the Microsoft Threat Intelligence team through a series of posts on X (formerly known as Twitter).
DanaBot, identified by Microsoft as Storm-1044, is a multi-functional tool. It is similar to Emotet, TrickBot, QakBot, and IcedID in its capabilities. It can act both as a stealer and as an entry point for subsequent payloads. UNC2198 has a history of infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as reported by Mandiant, a subsidiary of Google, in February 2021. According to Microsoft, this threat actor has also exploited initial access granted by QakBot infections. The current shift towards DanaBot is likely a consequence of a synchronized law enforcement operation in August 2023, which dismantled QakBot’s infrastructure.
The ongoing DanaBot campaign, first noticed in November, seems to be employing a private version of the information-stealing malware, as opposed to the malware-as-a-service offering. This observation was made by Redmond. The malware transmits the gathered credentials to a server controlled by the actor. This is followed by lateral movement through RDP sign-in attempts, eventually granting access to Storm-0216.
This announcement from Microsoft comes shortly after Arctic Wolf disclosed another series of CACTUS ransomware attacks. These attacks are actively exploiting critical vulnerabilities in a data analytics platform known as Qlik Sense to gain entry into corporate networks. In addition, a new macOS ransomware strain named Turtle has been discovered. This strain is written in the Go programming language and is signed with an adhoc signature. This signature prevents the strain from being executed upon launch due to Gatekeeper protections.