The warning comes directly from Microsoft: through its official channels, in fact, the IT giant has reported a massive campaign malvertising through which, with the help of trojan Danabotthe fearful thing is spread ransomware Cactus and his “colleague” Storm-0216.
The campaign, identified last month, uses a modified version of Danabot. In this sense, the malicious agent does not behave like a MaaS (Malware-as-a-Service) exhibiting anomalous behavior. The trojan we are talking about usually operates in the banking context, although it presents itself as modular malware. This last feature, in fact, also makes it adaptable to different contexts, as well as being easily updateable.
Written in Delphi, Danabot was first identified and cataloged in 2018. During its first months of activity, the trojan focused on victims residing in Australia and Poland, before expanding and reaching other countries, including ‘Europe.
The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering.
— Microsoft Threat Intelligence (@MsftSecIntel) December 1, 2023
Microsoft reports a new, very dangerous cybercriminal operation
Per Microsoft Threat Intelligence “Danabot collects user credentials and other information that it sends to command and control, followed by lateral movement via RDP login attempts, ultimately leading to a move to Storm-0216“.
Storm-0216 is a ransomware that was previously spread by malware Qakbot. Following the removal of the infrastructure that managed this malicious agent, Storm-0216 appears to have been “adopted” by Danabot for its spread. Finally, it should be remembered that, in this context, the Cactus ransomware is also promoted, another emerging threat that has been gaining attention in recent times.
At the top of this operation, however, remains a clever abuse of advertising. The phenomenon, known as malvertising, is increasingly widespread and worrying. In this sense, users must always be careful about advertisements, even when they are offered by theoretically safe services such as Google or platforms Meta.