Member
- Joined
- Oct 14, 2023
- Messages
- 225
- Thread Author
- #1
The Twisted Spider group actively uses the DanaBot Trojan as a delivery channel for dangerous malware.
Microsoft has announced a new wave of CACTUS ransomware attacks that use malicious advertising to deploy the DanaBot tool as an initial access vector.
Just a few days ago, Arctic Wolf already considered a similar campaign that exploits vulnerabilities in the Qlik Sense business intelligence platform to penetrate target environments and infect them with the CACTUS ransomware, but there are more differences in these cyber incidents than it may seem at first glance.
Microsoft Threat Intelligence experts note that infections with the DanaBot malware, which is a multifunctional tool that can act as an infostiler and backdoor, led to active actions on the part of hackers Storm-0216 (Twisted Spider, UNC2198). As a result, this led to the spread of the CACTUS ransomware software, which the company reported in a series of publications on the banned platform.
DanaBot is similar in many ways to tools like Emotet, TrickBot, QakBot, and IcedID. Moreover, the Storm-0216 group has previously been seen using IcedID to deploy ransomware families such as Maze and Egregor, as Mandiant detailed in February 2021.
According to Microsoft, in the reviewed campaign, the attackers also initially used the initial access provided by QakBot. The operational transition to DanaBot is likely related to a coordinated law enforcement operation in August 2023 that resulted in the elimination of the QakBot infrastructure.
The credentials collected using DanaBot are usually transmitted to the attackers server, followed by lateral movement via RDP, followed by data encryption.
The new wave of cyber attacks by the Storm-0216 group demonstrates the continued ingenuity of attackers in circumventing security measures and using new tools such as DanaBot. Companies need to regularly update their security systems and monitor the latest threats to protect their data.
Vigilance and a proactive approach to cybersecurity are the only reliable way to counter the increasingly sophisticated attacks of cybercriminals.
Microsoft has announced a new wave of CACTUS ransomware attacks that use malicious advertising to deploy the DanaBot tool as an initial access vector.
Just a few days ago, Arctic Wolf already considered a similar campaign that exploits vulnerabilities in the Qlik Sense business intelligence platform to penetrate target environments and infect them with the CACTUS ransomware, but there are more differences in these cyber incidents than it may seem at first glance.
Microsoft Threat Intelligence experts note that infections with the DanaBot malware, which is a multifunctional tool that can act as an infostiler and backdoor, led to active actions on the part of hackers Storm-0216 (Twisted Spider, UNC2198). As a result, this led to the spread of the CACTUS ransomware software, which the company reported in a series of publications on the banned platform.
DanaBot is similar in many ways to tools like Emotet, TrickBot, QakBot, and IcedID. Moreover, the Storm-0216 group has previously been seen using IcedID to deploy ransomware families such as Maze and Egregor, as Mandiant detailed in February 2021.
According to Microsoft, in the reviewed campaign, the attackers also initially used the initial access provided by QakBot. The operational transition to DanaBot is likely related to a coordinated law enforcement operation in August 2023 that resulted in the elimination of the QakBot infrastructure.
The credentials collected using DanaBot are usually transmitted to the attackers server, followed by lateral movement via RDP, followed by data encryption.
The new wave of cyber attacks by the Storm-0216 group demonstrates the continued ingenuity of attackers in circumventing security measures and using new tools such as DanaBot. Companies need to regularly update their security systems and monitor the latest threats to protect their data.
Vigilance and a proactive approach to cybersecurity are the only reliable way to counter the increasingly sophisticated attacks of cybercriminals.