Excerpt from The Hacker News Article, Published on Dec 04, 2023
Microsoft has issued a stark warning regarding a recent surge in CACTUS ransomware attacks, employing malvertising tactics to propagate DanaBot as an initial entry point. The software giant’s Threat Intelligence team disclosed that DanaBot infections triggered direct ransomware activity attributed to the group operating under the moniker Storm-0216, also known as Twisted Spider or UNC2198.
This malevolent scheme leverages DanaBot, labeled Storm-1044 by Microsoft, as a versatile tool akin to Emotet and TrickBot. It functions both as a data stealer and a gateway for deploying subsequent payloads, posing a significant threat to cybersecurity. UNC2198, previously linked to IcedID and ransomware families like Maze and Egregor, now exploits DanaBot following law enforcement’s dismantling of QakBot’s infrastructure in August 2023.
The latest campaign involving DanaBot showcases a modified, private iteration of the malware, differing from its previous malware-as-a-service format. Compromised credentials are funneled to actor-controlled servers, facilitating lateral movement via RDP sign-ins and ultimately granting access to Storm-0216.
This cautionary announcement by Microsoft emerges amidst ongoing CACTUS ransomware assaults, including the exploitation of critical vulnerabilities within Qlik Sense, highlighted recently by Arctic Wolf. Additionally, a new ransomware variant dubbed Turtle, penned in the Go programming language and thwarted by Gatekeeper protections, has been discovered in the macOS ecosystem.
These revelations accentuate the escalating sophistication and diversity of cyber threats, urging heightened vigilance and robust security measures among organizations and individuals alike.
To delve deeper into this topic, please read the full article on The Hacker News.