FireEye cybersecurity experts: The malware uses cookie headers to pass values to the C2 and can select referrers from a list of popular websites.
Bromium: Cybercrime launched mass phishing campaigns, exploiting hosting infrastructures in the United States, to spread 10 malware families: 5 banking trojan, 2 ransomware and 3 information steeler from Dridex to Gootkit, passing through GandCrab and AZORult
Cybercrime launched mass phishing campaigns to spread 10 malware families, exploiting hosting infrastructures in the United States. It has been discovered by Bromium cyber security experts. The cyber threats include include five banking Trojans (Dridex, Gootkit, IcedID, Nymaim and Trickbot), two ransomware (GandCrab and Hermes) and three information stealer (Fareit, Neutrino and AZORult). These were distributed thanks to be hosted on more than a dozen US-based web servers. Furthermore, the servers are part of Necurs botnet malware-hosting infrastructure. The researchers, moreover, suppose the existence of distinct threat actors: one responsible for email and malware hosting, and others that operate the malicious codes. In each of the campaigns, email was the attack vector. The phishing emails delivered Microsoft Word documents and used social engineering to trick victims into running malicious VBA macros that would download the malware.
The cyber security experts: the web servers “belong to a single autonomous system, registered ad PONYNET, owned by FranTech Solutions
According to the cyber security experts, the web servers “belong to a single autonomous system, AS53667, registered under the netname PONYNET, which contains 52,992 IP addresses. The hosting provider that owns PONYNET is a company called FranTech Solutions, a so-called ‘bulletproof host’. BuyVM is another company owned by FranTech that sells virtual private server (VPS) hosting services. One of the data centres used by BuyVM is in Nevada, US, which is where 11 of the web servers were hosted”, the company’s blog reports. “It was interesting that the hosting infrastructure is located in United States and not in a jurisdiction that is known to be uncooperative with law enforcement.” One possible reason is that the HTTP connections to download the malware from the web servers are more likely to succeed inside organisations that block traffic to and from countries that fall outside of their typical profile of network traffic.
The phishing campaigns target an anglophone audience and they have are two patterns: multiple malware were hosted on the same server, and the servers were reused to host malware for different campaigns
Analyzing the cybercrime campaigns, it appears that the malware identified primarily target an anglophone audience. This because all the phishing emails and documents linked to the hosting infrastructure were written in English. Moreover, several of the lures used were only relevant to a US audience. Bromium also explains that there have been several cases where multiple malware were hosted on the same server. In some cases, two families were used in conjunction with each other. One would act as a dropper for the other. For example this happened in phishing campaigns in July and August 2018 that delivered AZORult, an information stealer that was used to download Hermes ransomware. In those campaigns, both types of malware were hosted on the same server. The other pattern is that the servers were reused to host malware for different campaigns.