Pierluigi Paganini
December 04, 2023
Microsoft uncovered ongoing malvertising attacks using the DanaBot Trojan (Storm-1044) to deploy the CACTUS ransomware. Microsoft the campaign to the ransomware operator Storm-0216 (Twisted Spider, UNC2198).
Storm-0216 has historically used Qakbot malware for initial access, but has switched to other malware for initial access after the takedown of the Qakbot infrastructure.
The current Danabot campaign was first spotted in November, Microsoft researchers noticed that the threat actors employed a private version of the popular info-stealing malware instead of the malware-as-a-service offering.
“Danabot collects user credentials and other info that it sends to command and control, followed by lateral movement via RDP sign-in attempts, eventually leading to a handoff to Storm-0216.” reads a post on X published by Microsoft Threat Intelligence team.
Danabot collects user credentials and other info that it sends to command and control, followed by lateral movement via RDP sign-in attempts, eventually leading to a handoff to Storm-0216.
— Microsoft Threat Intelligence (@MsftSecIntel) December 1, 2023
DanaBot is a multi-stage modular banking Trojan written in Delphi that first appeared on the threat landscape in 2018. The malware implements a modular structure that allows operators to support new functionalities by adding new plug-ins.
The DanaBot banking Trojan initially targeted Australia and Poland users, then it has expanded in other countries, including Italy, Germany, Austria, and as of September 2018, Ukraine. In December, experts at Cybaze ZLab detected a series of attacks against Italian users and dissected one of the samples used in the attacks.
The malicious code continues to evolve, experts observed several campaigns targeting users in Australia, North America, and Europe.
In the latest wave of attacks observed in November, the malicious code was spotted transmitting stolen credentials to an actor-controlled server. Then operators performed lateral movement via RDP sign-in attempts and ultimately attempted to deploy the CACTUS ransomware.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CACTUS ransomware)
