Olivier Le Moal - stock.adobe.co

Researchers uncover US-based malware distribution centre

More than a dozen US-based web servers are operating as the malware equivalent of an Amazon fulfilment centre to target businesses, security researchers have found

Researchers at virtualisation-based security firm Bromium say US-based web servers are being used to host and distribute malware through mass phishing campaigns, including five families of banking trojans, three information stealers and two families of ransomware.

Analysis of public data and Bromium threat data between May 2018 and March 2019 showed the malicious threats were originating from web servers registered under the name Ponynet and hosted on BuyVM datacentres in Las Vegas, Nevada.

BuyVM is owned by FranTech Solutions, a so-called bulletproof hosting provider that has links to far-right websites, according to The New Yorker.

At least 10 types of malware were traced back to the servers – Dridex, Gootkit, IcedID, Nymaim, Trickbot, Fareit, Neutrino, AZORult, Gandcrab and Hermes.

The emails and infected documents used in the campaigns were all English and targeted US companies, with 42% of infected documents claimed to be job applications or CVs and a further 21% posed as unpaid invoices.

The same servers are being reused multiple times, either pairing first- and second-stage malware for the same campaign, or hosting different campaigns on a weekly basis. One web server hosted and distributed six different malware families over 40 days in 2018, the researchers said.

Similarities between the distribution method and the tactic, techniques and procedures make Bromium researchers believe that these servers are part of the infamous Necurs botnet.

The variety of malware found and the separation of command and control from hosting and distribution suggests the existence of separate threat actors, the researchers said. They believe one is for developing and operating the malware and the other for executing the phishing campaigns.

The servers represent the malware equivalent of an Amazon fulfilment centre, the researchers said, which suggests a very close relationship, making it possible for malware to be developed and delivered to inboxes in a matter of hours.

Read more about application isolation

This cyber crime business model offers hackers based outside the US a convenient way to avoid geoblocks on content from restricted countries such as North Korea, Russia or Iran, ensuring their malware can reach its intended destination, said the researchers.

The threat data was obtained from malware captured and rendered harmless inside Bromium secure containers, which allowed the researchers to observe how the malware behaves, what actions it tries to execute, what data it tries to access and where it originated from.

The findings demonstrate the enduring effectiveness of phishing to spread malware and infect enterprise systems, said the researchers, adding that phishing emails have become more difficult to spot.

They recommend that to defend against these threats, organisations should adopt layered cyber security defences that use application isolation to contain malicious threats, while providing rich-threat telemetry about the hacker’s intent and enabling employees to get on with their jobs without worrying about being the source of a breach.

Read more on IT risk management