Malvertising Campaign Leads to Cactus Ransomware Attack

There are many ways that cybercriminals gain access to business networks, including phishing attacks and exploiting unpatched vulnerabilities. Many businesses now provide security awareness training to employees to improve phishing awareness, but it is also important to teach the workforce about attacks via the Internet from general web browsing, such as malvertising.

Malvertising is the use of malicious adverts that trick Internet users into downloading malicious files. Malicious actors often target search terms typically used by businesses and pay for their adverts to appear for those terms at the top of the search engine listings. The adverts offer a product related to that term that is likely to get a click. If the ad is clicked, the user is directed to a site where they are offered the advertised product, which they can download. Oftentimes the file download is legitimate but has been bundled with malware, which provides the threat actor with access to the user’s device. Since the user gets the product they are looking for, suspicion is unlikely to be aroused.

Earlier this year, a new ransomware variant was discovered that has been active since at least March 2023. Cactus ransomware is distributed using a variety of methods, including the exploitation of vulnerabilities in VPN appliances, but in November the group started using malvertising for initial access. Malicious adverts are used to trick people into downloading a custom version of the malware-as-a-service offering, DanaBot.

Danabot is a multifunctional malware that has several similarities to Emotet and TrickBot, and functions as an information stealer but also serves as a downloader of additional malware payloads, such as Cactus ransomware. Danabot is used to steal credentials, and then the threat actor moves laterally via RDP sign-ins, before access is provided to a threat actor tracked as Storm-0216. Storm-0216 has previously conducted ransomware attacks using the now-defunct Maze and Egregor ransomware variants, with campaigns previously using QBot for initial access. The recent law enforcement takedown of QBot’s infrastructure forced the group to experiment with other initial access malware variants.

If DanaBot is installed, it will inevitably lead to a ransomware attack and it is unlikely that the threat will be blocked in time to prevent file encryption. The best defense is to implement measures to block the initial malware download, including security awareness training for the workforce to raise awareness about the threat of malvertising and a web filtering solution to block malware downloads.

Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has a focus data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone