Cybercriminals known as Twisted Spider (AKA Storm-0216) were observed using the services of Storm-1044, which infected target endpoints with an initial access trojan called DanaBot. Twisted Spider would then use this access to deploy the CACTUS ransomware.
In a Twitter thread, Microsoft security researchers said Storm-0216 was known for leveraging QakBot’s infrastructure for infections, but since law enforcement dismantled this operation last summer, the group was forced to pivot to a different platform.
“The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering,” the company explained. DanaBot offered hands-on keyboard activity to its partners, it was added.
Encrypting itself
Once the Storm-1044 group steals the necessary login credentials, they would move laterally across the network and throughout endpoints via RDP sign-in attempts. After initial access had been established, the group would hand it over to Twisted Spider, who would then infect the endpoints with the CACTUS ransomware.
It seems that CACTUS is quickly becoming the go-to choice for many ransomware operators. Last week, researchers from Arctic Wolf warned that hackers abused three vulnerabilities in the Qlik Sense data analytics solution to deploy this particular variant and steal sensitive company data.
In May, Kroll’s researchers discovered that the ransomware had a unique method of evading cybersecurity protections: “CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, told Bleeping Computer.
Cactus is a relatively new entrant in the ransomware game, first being spotted in March this year. It has the usual modus operandi, stealing sensitive data and encrypting systems, to later demand payment in cryptocurrency in exchange for the decryption key and for keeping the data private.