Digital attackers used more than a dozen web servers to host 10 malware families and distributed those threats using phishing emails.

In its review of threat data between May 2018 and March 2019, Bromium observed a collection of U.S. web servers hosting five families of banking malware (Dridex, Gootkit, IcedID, Nymaim and Trickbot), two strains of ransomware (GandCrab and Hermes) and three groups of information stealers (Fareit, Neutrino and AZORult).

Threat actors subsequently used those web servers to launch phishing attacks that relied on social engineering techniques to deliver malicious Microsoft Word documents. Hidden in those documents were malicious Visual Basic for Applications (VBA) macros that, when enabled, loaded one of the malicious payloads. In some cases, one malware family acted as a dropper of another threat.

Bromium researchers detected one of the servers hosting Dridex in March 2019. This realization resonated with the security firm, which knows that those behind Dridex have been using the Necurs botnet for distribution since 2016. Given their additional observation of several similarities between the campaigns pushing out Dridex and the operations distributing some of the other threats they discovered, the researchers hypothesized that the Necurs cybergang could be using these web servers as part of their malware distribution network.

A Busy Year for Necurs Amid Revelations Into Dridex

Bromium’s hypothesis surrounding Necurs comes after the operators of the botnet made some important changes to their creation. In June 2018, for instance, Trend Micro observed the addition of new capabilities that, among other things, enabled Necurs to secretly deliver the XMRig cryptominer and push out modules designed to extract emails. Just a few months later, Cofense discovered Necurs using PUB files to distribute the FlawedAmmyy remote access Trojan.

In the meantime, researchers have learned more about the attackers behind Dridex. Researchers at ESET learned in January 2018 how these very same individuals had created a ransomware strain known as FriedEx. Almost a year later, Trend Micro found that a similar loader linked together Dridex, Emotet, Ursnif and BitPaymer.

How to Defend Against Email-Borne Malware

Security professionals can help defend their organizations against email-borne malware by conducting regular test phishing engagements with the entire workforce, reviewing those simulations’ results and conducting follow-up education as needed. Companies should also leverage tools such as VBA editor to extract and analyze the macro code included in potentially malicious Microsoft Office documents.