US Web Servers Hosted 10 Malware Families


Security researchers have found a cluster of over a dozen US-based servers being used to host and distribute 10 strains of malware in large-scale phishing campaigns. These particular web servers are owned by FranTech Solutions, a bulletproof hosting server which uses a datacentre in Nevada. This is according to security firm Bromium.

The five main groups

Malware hosted on these servers apparently features five banking trojan groups. This includes Dridex and IcedID, as well as two groups of ransomware including GandCrab and three information stealers.

“The variety of malware families hosted, and the apparent separation of command and control (C2) from email and hosting infrastructure, suggests the existence of distinct threat actors: one responsible for email and hosting, and others in charge of operating the malware,” explained Bromium.

“Given the similarities between the campaigns delivering Dridex and the other malware families we identified, it is possible that this collection of web servers is part of the malware hosting and distribution infrastructure used by the operators of the Necurs botnet.”

A standard procedure

The phishing campaigns used to spread malware hosted on these servers seem standard. They use social engineering to fool recipients into running malicious VBA macros on the attached Word document. This will trigger a covert malware download.

According to speculations by Bromium, the US may have been picked for this endeavour rather than a country more tolerant of malicious online activity as it could enable a higher rate of success with the mainly US targets.

“The HTTP connections to download the malware from the web servers are more likely to succeed inside organizations that block traffic to and from countries that fall outside of their typical profile of network traffic,” it said.

Join us for GovSec UK

Whitehall Media’s 6th annual GovSec conference aims to enable the government to function effectively, safely and securely through improved IT and information security. The all-day conference explores how public sector organisations and professionals can make sense of securing their functions in a rapidly changing environment.