Microsoft recently warned of a resurgence of CACTUS ransomware attacks spread through malvertising lures, likely perpetrated by the ransomware operator UNC2198 (aka Twisted Spider, Storm-0216). UNC2198 used this vector to deploy the DanaBot malware.
- DanaBot is a tool capable of stealing credentials and serving as an entry point for further payloads. It is similar to Emotet, IcedID, QakBot, and other multi-functional cybercrime tools. UNC2198 currently uses a custom version of the malware instead of the malware-as-a-service product.
- According to Mandiant, UNC2198 previously infected targets with IcedID to deploy next-stage ransomware families. Microsoft also noted that UNC2198 previously used QakBot to provide initial access to compromised systems. The threat actor’s switch to DanaBot in November was likely due to law enforcement actions that took down QakBot’s infrastructure in August 2023.
Read More:
https://thehackernews.com/2023/12/microsoft-warns-of-malvertising-scheme.html