Cybersecurity Breach: Twisted Spider Hijacks Systems with CACTUS Ransomware via DanaBot Trojan

The cybercriminal group known as Twisted Spider, also referred to as Storm-0216, has been observed utilizing the services of another group, Storm-1044. This collaboration has resulted in the infection of target systems with an initial access trojan named DanaBot. Following the successful breach, Twisted Spider proceeds to deploy the CACTUS ransomware.

According to Microsoft security experts sharing insights in a series of Tweets, Storm-0216 previously relied on the QakBot infrastructure for disseminating malware. However, with law enforcement dismantling QakBot's network last summer, the group had to transition to an alternate mechanism.

Microsoft reported that the recent DanaBot campaign, which came to their attention in November, appears to employ a specialized, non-commercial variant of the info-stealing trojan. They noted that DanaBot grants its affiliates the ability to perform activities directly on the compromised keyboards.

As for Storm-1044, after they gain the victim's login credentials, they're known to navigate through the network and various endpoints, attempting to sign in via Remote Desktop Protocol (RDP). Once these preliminary intrusions are set, they pass control to Twisted Spider. It's Twisted Spider that then proceeds to unleash the CACTUS ransomware into the systems.

Researchers at Arctic Wolf also pointed out that the adoption of CACTUS ransomware is on the rise among cybercriminals. They have highlighted instances where attackers exploited three specific flaws in the Qlik Sense data analytics platform to circulate the ransomware and exfiltrate corporate data.

Kroll's cybersecurity experts revealed in May that CACTUS ransomware has an innovative approach to staying under the radar from security measures. Kroll's Laurie Iacono described to Bleeping Computer how CACTUS cleverly encrypts itself, making it significantly more challenging to be spotted by antivirus programs and network security tools.

CACTUS emerged on the ransomware scene in March of the same year. It adheres to the typical ransomware strategy—stealing sensitive information and encrypting files—in order to demand ransom payments in digital currency for decryption keys and to prevent stolen data from being leaked.