Microsoft has uncovered ongoing malvertising attacks using the DanaBot Trojan to deploy the CACTUS ransomware. Microsoft the campaign to the ransomware operator Storm-0216.
Storm-0216 has historically used Qakbot malware for initial access but has switched to other malware for initial access after the takedown of the Qakbot infrastructure.
Microsoft researchers noticed that the threat actors employed a private version of the popular info-stealing malware instead of the malware-as-a-service offering.
“Danabot collects user credentials and other info that it sends to command and control, followed by lateral movement via RDP sign-in attempts, eventually leading to a handoff to Storm-0216.” Reads a post on X published by Microsoft Threat Intelligence team.
DanaBot is a multi-stage modular banking Trojan written in Delphi that first appeared on the threat landscape in 2018. The malware implements a modular structure that allows operators to support new functionalities by adding new plug-ins.
The DanaBot banking Trojan initially targeted Australia and Poland users, and then it expanded in other countries, including Italy, Germany, Austria, and as of September 2018, Ukraine. In December, a series of attacks against Italian users dissected one of the samples used in the attacks.
Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The shift to DanaBot, therefore, is likely the result of a coordinated law enforcement operation in August 2023 that took down QakBot’s infrastructure.
The malicious code continues to evolve, experts observed several campaigns targeting users in Australia, North America, and Europe.
In the latest attack, the malicious code was spotted transmitting stolen credentials to an actor-controlled server. Then operators performed lateral movement via RDP sign-in attempts and ultimately attempted to deploy the CACTUS ransomware
NICE POST 💙❤️💗
BLESSED AND HAPPY DAY 🌞
GREETINGS 👋🇪🇦
🌹💐🌺🌸🏵️