Twisted Spider Group Launches Malvertising Scheme Spreading CACTUS Ransomware, Microsoft Warns
Originally Published 2 years ago — by The Hacker News
Microsoft has issued a warning about a new wave of CACTUS ransomware attacks that utilize malvertising tactics to distribute DanaBot as an initial access point. The DanaBot infections have been linked to the ransomware operator Storm-0216 (Twisted Spider, UNC2198), resulting in the deployment of CACTUS ransomware. DanaBot is a versatile tool capable of stealing information and serving as an entry point for subsequent attacks. The threat actor has also exploited QakBot infections for initial access. This shift to DanaBot is likely due to a coordinated law enforcement operation that dismantled QakBot's infrastructure. The current Danabot campaign is using a private version of the info-stealing malware. The stolen credentials are sent to a server controlled by the actor, who then gains access through RDP sign-in attempts and transfers control to Storm-0216. This warning follows recent reports of CACTUS ransomware attacks exploiting vulnerabilities in Qlik Sense and the discovery of a new macOS ransomware called Turtle.