- Aug 17, 2014
- 11,196
Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.
The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).
"The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering," Redmond further noted.
The credentials harvested by the malware are transmitted to an actor-controlled server, which is followed by lateral movement via RDP sign-in attempts and ultimately handing off access to Storm-0216.