Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.

The DanaBot infections led to “hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware,” the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).

DanaBot, tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that’s capable of acting as a stealer and a point of entry for next-stage payloads.

Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The shift to DanaBot, therefore, is likely the result of a coordinated law enforcement operation in August 2023 that took down QakBot’s infrastructure.

“The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering,” Redmond further noted.

The disclosure comes days after Arctic Wolf revealed another set of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in a data analytics platform called Qlik Sense to gain access to corporate networks.

It also follows the discovery of a new macOS ransomware strain dubbed Turtle that’s written in the Go programming language and is signed with an adhoc signature, thereby preventing it from being executed upon launch due to Gatekeeper protections.