Hackers used hosting infrastructure in the United States to host 10 malware families and distributed them through mass phishing campaigns.
The hosted malware families include five banking Trojans, two ransomware and three information stealer malware families. The malware includes familiar ones such as Dridex, GandCrab, Neutrino, IcedID, and others.
| Malware Family | Type |
|---|---|
| Dridex | Banking Trojan |
| Gootkit | Banking Trojan |
| IcedID | Banking Trojan |
| Nymaim | Banking Trojan |
| Trickbot | Banking Trojan |
| Fareit | Information stealer |
| Neutrino | Information stealer |
| AZORult | Information stealer |
| GandCrab | Ransomware |
| Hermes | Ransomware |
Bromium has tracked the operations so closer for a year and says, “Multiple malware families were staged on the same web servers and subsequently distributed through mass phishing campaigns.”
Cybercriminals reuse the same servers to host different malware that indicates collaboration of common entity between the malware operators.
The malware families hosted in the server but they have separation with C2 servers, which indicates one threat actor responsible for email and hosting and another for malware operations.
Malware Families & Campaigns
Attackers distribute the malware through phishing campaigns that malicious word documents and utilize the social engineering tricks to lure victims in executing the embedded VBA macro.
According to Bromium, “the malware identified primarily targets an anglophone audience because all the phishing emails and documents we examined from campaigns linked to the hosting infrastructure were written in English.”
The malware hosted servers run the default installations of CentOS and Apache HTTP, and the payloads are compiled and hosted in less than 24 hours.
All the malware are distributed with phishing emails that carry macro embedded malicious word documents that contain links pointed to malware hosted servers.
“63% of the campaigns delivered a weaponized Word document that was password protected, with a simple password in the message body of the email, such as ‘1234’ or ‘321’,” Bromium said.
The recent report from IBM, states that the major cybercrime groups connected together in explicit collaboration and continues to exchange their scripts, tactics, and techniques to bypass the security measures and to evade from law enforcement agencies.
