Over a dozen US-based web servers from far-right linked hosting service being used to target businesses with mass phishing campaigns spreading Dridex, Gandcrab and more
Bromium®, Inc., the pioneer and leader in application isolation and containment for endpoint protection that stops advanced malware attacks, has uncovered US-based web servers that are being used to host and distribute banking trojans, information stealers and ransomware.
Analysis of public data and Bromium threat data between May 2018 and March 2019 showed the malicious threats were originating from web-servers registered under the name PONYNET and hosted on BuyVM data centers in Las Vegas, Nevada. BuyVM is owned by FranTech solutions, a so-called bulletproof hosting provider which has links to far-right websites.
Other key findings include:
- At least ten types of malware were traced back to the servers; Dridex, Gootkit, IcedID, Nymaim, Trickbot, Fareit, Neutrino, AZORult, Gandcrab and Hermes.
- The emails and infected documents used in the campaigns were all English and targeted US companies – 42% of infected documents claimed to be job applications or CVs and a further 21% posed as unpaid invoices
- The same servers are being reused multiple times, either pairing first and second stage malware for the same campaign, or hosting different campaigns on a weekly basis – one web server hosted and distributed six different malware families over 40 days in 2018
- Due to similarities between the distribution method and the tactic, techniques and procedures, it’s likely these servers are part of the infamous Necurs botnet.
A spokesperson from Bromium Labs, commented: “The variety of malware found and the separation of command and control from hosting and distribution suggests the existence of separate threat actors; one for developing and operating the malware, the other for executing the phishing campaigns. It’s the malware equivalent of Amazon fulfilment and suggests a very close relationship, making it possible for malware to be developed and delivered to inboxes in a matter of hours. Worryingly, this cybercrime business model offers hackers based outside of the US with a convenient way to avoid geoblocks on content from restricted countries like North Korea, Russia or Iran – ensuring their malware can reach its intended destination.”
The threat data was obtained from malware captured and rendered harmless inside Bromium secure containers, which allowed security researchers to watch how malware behaves, what actions it tries to execute, data it tries to access and where it originated from.
The spokesperson concludes: “These findings demonstrate the enduring effectiveness of phishing to spread malware and infect enterprise systems. Phishing emails have become harder to spot, and hackers know they only need to get it right once. To defend against these threats, organizations must adopt layered cybersecurity defenses that utilize application isolation to contain malicious threats, while providing rich-threat telemetry about the hacker’s intent. This allows employees to get on with their jobs without worrying about being the source of a breach, and leaves cybercriminals unable to deliver the goods.”