Story image

Bromium uncovers major malware distribution centre

09 Apr 2019

Endpoint protection solutions provider Bromium announced that it uncovered US-based web servers that are being used to host and distribute banking trojans, information stealers and ransomware.

Analysis of public data and Bromium threat data between May 2018 and March 2019 showed the malicious threats were originating from web servers registered under the name PONYNET and hosted on BuyVM data centres in Las Vegas, Nevada.

BuyVM is owned by FranTech solutions, a so-called bulletproof hosting provider which has links to far-right websites.

Other key findings include:

  • At least ten types of malware were traced back to the servers; Dridex, Gootkit, IcedID, Nymaim, Trickbot, Fareit, Neutrino, AZORult, Gandcrab and Hermes.
     
  • The emails and infected documents used in the campaigns were all English and targeted US companies – 42% of infected documents claimed to be job applications or CVs and a further 21% posed as unpaid invoices
     
  • The same servers are being reused multiple times, either pairing first and second stage malware for the same campaign, or hosting different campaigns on a weekly basis – one web server hosted and distributed six different malware families over 40 days in 2018
     
  • Due to similarities between the distribution method and the tactic, techniques and procedures, it’s likely these servers are part of the infamous Necurs botnet.

A spokesperson from Bromium Labs comments: “The variety of malware found and the separation of command and control from hosting and distribution suggests the existence of separate threat actors; one for developing and operating the malware, the other for executing the phishing campaigns.

“It’s the malware equivalent of Amazon fulfilment and suggests a very close relationship, making it possible for malware to be developed and delivered to inboxes in a matter of hours.

“Worryingly, this cybercrime business model offers hackers based outside of the US with a convenient way to avoid geoblocks on content from restricted countries like North Korea, Russia or Iran – ensuring their malware can reach its intended destination.”

The threat data was obtained from malware captured and rendered harmless inside Bromium secure containers, which allowed security researchers to watch how malware behaves, what actions it tries to execute, data it tries to access and where it originated from.

The spokesperson added: “These findings demonstrate the enduring effectiveness of phishing to spread malware and infect enterprise systems.

“Phishing emails have become harder to spot, and hackers know they only need to get it right once. To defend against these threats, organisations must adopt layered cybersecurity defences that utilise application isolation to contain malicious threats, while providing rich-threat telemetry about the hacker’s intent.

“This allows employees to get on with their jobs without worrying about being the source of a breach, and leaves cybercriminals unable to deliver the goods.”

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.
WikiLeaks' Julian Assange arrested in London
There’s little doubt that it’s a day of reckoning for WikiLeaks cofounder Julian Assange today, after his seven-year long protection inside London’s Ecquador Embassy came to an abrupt end.