Light Dark
April 9, 2019 By David Bisson 2 min read

Digital attackers used more than a dozen web servers to host 10 malware families and distributed those threats using phishing emails.

In its review of threat data between May 2018 and March 2019, Bromium observed a collection of U.S. web servers hosting five families of banking malware (Dridex, Gootkit, IcedID, Nymaim and Trickbot), two strains of ransomware (GandCrab and Hermes) and three groups of information stealers (Fareit, Neutrino and AZORult).

Threat actors subsequently used those web servers to launch phishing attacks that relied on social engineering techniques to deliver malicious Microsoft Word documents. Hidden in those documents were malicious Visual Basic for Applications (VBA) macros that, when enabled, loaded one of the malicious payloads. In some cases, one malware family acted as a dropper of another threat.

Bromium researchers detected one of the servers hosting Dridex in March 2019. This realization resonated with the security firm, which knows that those behind Dridex have been using the Necurs botnet for distribution since 2016. Given their additional observation of several similarities between the campaigns pushing out Dridex and the operations distributing some of the other threats they discovered, the researchers hypothesized that the Necurs cybergang could be using these web servers as part of their malware distribution network.

A Busy Year for Necurs Amid Revelations Into Dridex

Bromium’s hypothesis surrounding Necurs comes after the operators of the botnet made some important changes to their creation. In June 2018, for instance, Trend Micro observed the addition of new capabilities that, among other things, enabled Necurs to secretly deliver the XMRig cryptominer and push out modules designed to extract emails. Just a few months later, Cofense discovered Necurs using PUB files to distribute the FlawedAmmyy remote access Trojan.

In the meantime, researchers have learned more about the attackers behind Dridex. Researchers at ESET learned in January 2018 how these very same individuals had created a ransomware strain known as FriedEx. Almost a year later, Trend Micro found that a similar loader linked together Dridex, Emotet, Ursnif and BitPaymer.

How to Defend Against Email-Borne Malware

Security professionals can help defend their organizations against email-borne malware by conducting regular test phishing engagements with the entire workforce, reviewing those simulations’ results and conducting follow-up education as needed. Companies should also leverage tools such as VBA editor to extract and analyze the macro code included in potentially malicious Microsoft Office documents.

 |  |  |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature