[ad_1]
The researchers discovered more than a dozen servers, unusually registered in the United States, hosting ten families of malware spread through phishing campaigns potentially linked to the Necurs botnet.
Bromium researchers said Thursday they have monitored scams related to this infrastructure between May 2018 and March 2019.
Five families of banking Trojans – Dridex, Gootkit, IcedID, Nymaim and Trickbot – two variants of ransomware, Gandcrab and Hermes, as well as three information thieves, Fareit, Neutrino and Azorult, were all found on the servers.
It is unusual for such malware to be found on an infrastructure hosted in the US, as law enforcement agencies in the country are generally ready to seize and remove malicious infrastructure when they are informed of its existence.
One of the servers belongs to a single autonomous system and is a so-called "armored" hosting service, which generally turns a blind eye to the hosted content, whether it is malicious or not. Eleven other servers involved belong to a Nevada-based company that sells virtual private server (VPS) hosting services.
"One of the possible reasons for choosing an American hosting provider is this: HTTP connections for downloading malicious software from web servers are more likely to succeed within the US." Organizations blocking traffic to and from countries that are not part of their typical network traffic profile, "suggests Bromium.
Cybersecurity researchers say malware families hosted on servers have been distributed in several mbad phishing campaigns. The messaging and hosting infrastructure has been separated from the command and control (C2) systems, which also suggests that the servers are used by groups of "distinct" threats – some being responsible for the messaging and accommodation, other management officials. malware.
After tracing the spam and phishing campaigns related to the malicious infrastructure, Bromium indicates that email is the main vector of attack of all detected attacks. Microsoft Word files containing malicious VBA macros are the weapon of choice.
Phishing campaigns also appear to be centered on the United States, with e-mails of lures written in English and masquerading as well-known American organizations, including Centers for Disease Control and Prevention (CDC).
See also: The Home DNA kit company asks you to download your family tree for the FBI
The most popular phishing lure was a job application, followed by an unpaid bill request.
Another interesting element of the infrastructure is the rapid compilation of malware samples and their speed of hosting. In some cases, as with samples of Hermes and Dridex, compilation and hosting take only a few hours and do not exceed 24 hours.
"The rapid delay between compilation and hosting suggests an organized relationship between malware developers and distribution infrastructure operators," the researchers said.
Cyber attacks have also been reported to host several families of malware designed to operate in parallel. The phishing campaigns discovered in July and August 2018 were related to this behavior, in which Azorult – an information thief – was badociated with the Hermes ransomware.
The servers are also reused for different campaigns. On March 9, for example, a server was used to distribute the IcedID banking trojan. A week later, the same server was used to host Dridex. In another case, Bromium observed that only one web server was used to host no less than six different malware families for 40 days.
TechRepublic: What is the dark web and why is it so bad if your information is there?
Bromium indicates that there are indicators suggesting that servers could be linked to Necurs botnet-related campaigns.
One of the servers was used to host a recent Dridex sample in March of this year. In addition, all malware hosted on the US infrastructure was used for high-volume spam campaigns conducted in a manner consistent with the tactics used by Necurs botnet operators.
Unlike other campaigns, the Web server used for Dridex had basic HTTP authentication, likely to thwart researchers when discovering the presence of malware on the server.
CNET: Kaspersky Lab warns you if your phone is infected with stalkerware.
"The username and pbadword pair of this campaign was" username "and" pbadword ", and the name of the file delivered was" test1.exe ", which suggests that Maybe it was a test campaign, "says Bromium. "Given the relative slowdown in Dridex 's business for several months, this may indicate a readiness for future Dridex campaigns to come or the adoption of HTTP core authentication in the future. other campaigns. "
Previous and related coverage
Source link
