The 10 different malware families are distributing malwares through US web servers

by ·

The researchers found that 10 different malware families were hosted on more than a dozen servers registered in the United States, and they spread through botnets suspected of Necurs. Researchers at the network security company Bromium said they monitored activities related to the infrastructure from May 2018 to March 2019.

malware-infected cities

The 10 malware families include Dridex, GandCrab, Neutrino, IcedID, and others. Among them, 11 servers belong to a company based in Nevada, USA, which provides VPS hosting services. It is unusual to find this malware on US infrastructure because US law enforcement agencies often quickly block malicious infrastructure when it is discovered.

Network security researchers say the malware family on the server has spread across multiple large-scale phishing campaigns. Email and hosting have been separated from the command and control system, indicating that these servers are being used by different organizations.

After tracking spam and phishing related to malicious infrastructure, Bromium said that among all detected attacks, email is the primary attack vector, and Microsoft Word files containing malicious VBAs are the preferred weaponized document. The most popular fishing bait is a job application, followed by a payment request. Phishing campaigns are primarily targeted at the United States, and bait mail is often faked into a well-known American institution.

In addition, the rapid compilation of malware samples and the speed of hosting indicate that there are some links between malware developers and distribution infrastructure operators. “When we examined the samples hosted on the web servers, we noticed that the time difference between when they were compiled and when they were first observed being hosted was less than 24 hours, and in some cases only a matter of hours. The quick turnaround from compilation to hosting suggests an organised relationship between malware developers and the operators of the distribution infrastructure.”

Tags: