Microsoft has issued a warning regarding a new wave of CACTUS ransomware attacks [1] [2]. These attacks utilize malvertising lures to introduce DanaBot as an initial access vector [1] [2] [4]. The ransomware operator Storm-0216 [1] [2] [4], also known as Twisted Spider or UNC2198 [2] [3], is actively involved in these DanaBot infections.
Description
DanaBot is a versatile tool similar to Emotet, TrickBot [1] [4], QakBot [1] [4], and IcedID [4]. It can serve as both a stealer and an entry point for subsequent payloads. UNC2198 [1] [2] [3] [4], the ransomware operator [1] [2] [4], has previously infected endpoints with IcedID to deploy ransomware families like Maze and Egregor [1] [4]. The current Danabot campaign is using a private version of the info-stealing malware instead of the malware-as-a-service offering [1] [4].
In addition, Microsoft has disclosed that CACTUS ransomware attacks are actively exploiting vulnerabilities in the Qlik Sense data analytics platform. Furthermore, a new strain of macOS ransomware called Turtle [1], written in the Go programming language and signed with an adhoc signature to bypass Gatekeeper protections [4], has been discovered [1] [4].
The operators of the CACTUS ransomware strain, also known as Cactus, are using vulnerabilities in a data analytics platform to gain access to corporate networks [3]. They are also deploying the Danabot malware through malvertising [3]. Microsoft has detected Danabot infections leading to CACTUS ransomware infections [3]. Danabot collects user credentials and other information [3], followed by lateral movement via RDP sign-in attempts [3] [4], eventually leading to a handoff to Storm-0216 (also known as Twisted Spider and UNC2198) [3]. Storm-0216 has been linked to the Maze Cartel and has previously deployed Maze or Egregor ransomware [3].
Conclusion
These developments have significant implications for cybersecurity. Organizations should be aware of the CACTUS ransomware attacks and take necessary precautions to protect their systems. Mitigations should include patching vulnerabilities in the Qlik Sense data analytics platform and implementing strong security measures to prevent malvertising and malware infections. The discovery of the Turtle ransomware strain highlights the need for vigilance and proactive defense against evolving threats. Microsoft’s warning serves as a reminder of the ongoing battle against ransomware and the importance of staying informed and prepared.
References
[1] https://virtualattacks.com/microsoft-issues-a-warning-about-an-ad-campaign-that-spreads-cactus-ransomware/
[2] https://cyber.vumetric.com/security-news/2023/12/04/microsoft-warns-of-malvertising-scheme-spreading-cactus-ransomware/
[3] https://www.bankinfosecurity.com/cactus-ransomware-using-qlik-bugs-danabot-in-latest-attacks-a-23744
[4] https://thehackernews.com/2023/12/microsoft-warns-of-malvertising-scheme.html