Digital attackers used more than a dozen web servers to host 10 malware families and distributed those threats using phishing emails.

In its review of threat data between May 2018 and March 2019, Bromium observed a collection of U.S. web servers hosting five families of banking malware (Dridex, Gootkit, IcedID, Nymaim and Trickbot), two strains of ransomware (GandCrab and Hermes) and three groups of information stealers (Fareit, Neutrino and AZORult).

Threat actors subsequently used those web servers to launch phishing attacks that relied on social engineering techniques to deliver malicious Microsoft Word documents. Hidden in those documents were malicious Visual Basic for Applications (VBA) macros that, when enabled, loaded one of the malicious payloads. In some cases, one malware family acted as a dropper of another threat.

Bromium researchers detected one of the servers hosting Dridex in March 2019. This realization resonated with the security firm, which knows that those behind Dridex have been using the Necurs botnet for distribution since 2016. Given their additional observation of several similarities between the campaigns pushing out Dridex and the operations distributing some of the other threats they discovered, the researchers hypothesized that the Necurs cybergang could be using these web servers as part of their malware distribution network.

A Busy Year for Necurs Amid Revelations Into Dridex

Bromium’s hypothesis surrounding Necurs comes after the operators of the botnet made some important changes to their creation. In June 2018, for instance, Trend Micro observed the addition of new capabilities that, among other things, enabled Necurs to secretly deliver the XMRig cryptominer and push out modules designed to extract emails. Just a few months later, Cofense discovered Necurs using PUB files to distribute the FlawedAmmyy remote access Trojan.

In the meantime, researchers have learned more about the attackers behind Dridex. Researchers at ESET learned in January 2018 how these very same individuals had created a ransomware strain known as FriedEx. Almost a year later, Trend Micro found that a similar loader linked together Dridex, Emotet, Ursnif and BitPaymer.

How to Defend Against Email-Borne Malware

Security professionals can help defend their organizations against email-borne malware by conducting regular test phishing engagements with the entire workforce, reviewing those simulations’ results and conducting follow-up education as needed. Companies should also leverage tools such as VBA editor to extract and analyze the macro code included in potentially malicious Microsoft Office documents.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…