Digital attackers used more than a dozen web servers to host 10 malware families and distributed those threats using phishing emails.

In its review of threat data between May 2018 and March 2019, Bromium observed a collection of U.S. web servers hosting five families of banking malware (Dridex, Gootkit, IcedID, Nymaim and Trickbot), two strains of ransomware (GandCrab and Hermes) and three groups of information stealers (Fareit, Neutrino and AZORult).

Threat actors subsequently used those web servers to launch phishing attacks that relied on social engineering techniques to deliver malicious Microsoft Word documents. Hidden in those documents were malicious Visual Basic for Applications (VBA) macros that, when enabled, loaded one of the malicious payloads. In some cases, one malware family acted as a dropper of another threat.

Bromium researchers detected one of the servers hosting Dridex in March 2019. This realization resonated with the security firm, which knows that those behind Dridex have been using the Necurs botnet for distribution since 2016. Given their additional observation of several similarities between the campaigns pushing out Dridex and the operations distributing some of the other threats they discovered, the researchers hypothesized that the Necurs cybergang could be using these web servers as part of their malware distribution network.

A Busy Year for Necurs Amid Revelations Into Dridex

Bromium’s hypothesis surrounding Necurs comes after the operators of the botnet made some important changes to their creation. In June 2018, for instance, Trend Micro observed the addition of new capabilities that, among other things, enabled Necurs to secretly deliver the XMRig cryptominer and push out modules designed to extract emails. Just a few months later, Cofense discovered Necurs using PUB files to distribute the FlawedAmmyy remote access Trojan.

In the meantime, researchers have learned more about the attackers behind Dridex. Researchers at ESET learned in January 2018 how these very same individuals had created a ransomware strain known as FriedEx. Almost a year later, Trend Micro found that a similar loader linked together Dridex, Emotet, Ursnif and BitPaymer.

How to Defend Against Email-Borne Malware

Security professionals can help defend their organizations against email-borne malware by conducting regular test phishing engagements with the entire workforce, reviewing those simulations’ results and conducting follow-up education as needed. Companies should also leverage tools such as VBA editor to extract and analyze the macro code included in potentially malicious Microsoft Office documents.

more from

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…