Researchers have identified a long-running phishing and malware campaign that has used servers based in United States data centers to spread a variety of different malware families, including the notorious GandCrab ransomware and the Dridex and Trickbot banking trojans. The campaign’s operators may have ties to the notorious Necurs botnet, which has been in operation since 2012.
For several months, beginning in May 2018, attackers were operating the phishing and spam campaigns using more than a dozen web servers that are all part of the same autonomous system. That AS belongs to a company that operates a virtual private server (VPS) hosting service. Researchers at Bromium, a security firm, have been tracking the malware campaign and found that 11 of the web servers used in it were located in a Nevada data center owned by the VPS hosting company. The use of servers located in the U.S. is unusual, as cybercrime groups tend to favor hosting service in countries with less-aggressive law enforcement agencies.
“It was interesting to us that the hosting infrastructure is located in the United States and not in a jurisdiction that is known to be uncooperative with law enforcement. One possible reason for choosing a US hosting provider is so that the HTTP connections to download the malware from the web servers are more likely to succeed inside organisations that block traffic to and from countries that fall outside of their typical profile of network traffic,” Bromium researchers said in a new report on the campaign, which they said ran through March 2019.
“There is evidence to suggest that the malware identified primarily targets an anglophone audience because all the phishing emails and documents we examined from campaigns linked to the hosting infrastructure were written in English. Moreover, several of the lures used were only relevant to a US audience.”
The phishing campaigns used run-of-the-mill emails as bait, all of which included a Word document that had language encouraging victims to enable macros on their machines. Many of the documents were fake job applications, resumes, or invoices, all of which are commonly used in phishing campaigns. If an individual fell victim to one of the lures, the malicious code in the rigged document would then download and install a piece of malware from one of the remote servers. The Bromium researchers observed 10 different malware variants in use during this campaign, some of which were banking trojans, while others were information stealers or ransomware.
Over the course of the 10 months that these campaigns were ongoing, the Bromium researchers noticed the attackers using a single server to host multiple different malware families at the same time, or reusing servers for campaigns several weeks or months apart.
"Our research found that in any given campaign, only a handful of the servers are actively used to host malicious files."
“The variety of malware families hosted, and the apparent separation of command and control (C2) from email and hosting infrastructure, suggests the existence of distinct threat actors: one responsible for email and hosting, and others in charge of operating the malware,” Bromium said in its report.
The researchers also discovered details that may link this malware operation to the formidable Necurs botnet. Necurs has been in operation for at least seven years and its operators have used the global network of compromised machines to deliver all manner of malware, including the Gameover ZeuS trojan, CryptoLocker and Cryptowall ransomware, and several exploit kits. More recently, though, Necurs has been distributing the Dridex banking trojan, one of the malware strains that the Bromium researchers identified in the campaigns they were tracking.
“In March 2019, we noticed that one of the web servers was used to host a recent sample of Dridex. Seeing Dridex on this infrastructure was interesting to us for two reasons. The gang operating Dridex has been using the Necurs botnet as a vehicle for spreading their malware through malicious spam campaigns since 2016,” the Bromium report said.
“Given the similarities between the campaigns delivering Dridex and the other malware families we identified, it is possible that this collection of web servers is part of the malware hosting and distribution infrastructure used by the operators of the Necurs botnet. All the hosted malware we examined has been linked to high-volume malicious spam campaigns that are consistent with the tactics, techniques and procedures (TTPs) and distribution-as-a-service business model of the Necurs botnet.”
The servers used in these campaigns are still active, Bromium researchers said.
“As of 3 April 2019, several of the servers are still online and we aren’t aware of any of them being sinkholed. Our research found that in any given campaign, only a handful of the servers are actively used to host malicious files. The behavior we typically observed was that after a mass phishing campaign, the files were taken down and the web servers were left online,” said a malware analyst at Bromium.