sb-au logo
Story image

Bromium uncovers major malware distribution centre

09 Apr 2019

Endpoint protection solutions provider Bromium announced that it uncovered US-based web servers that are being used to host and distribute banking trojans, information stealers and ransomware.

Analysis of public data and Bromium threat data between May 2018 and March 2019 showed the malicious threats were originating from web servers registered under the name PONYNET and hosted on BuyVM data centres in Las Vegas, Nevada.

BuyVM is owned by FranTech solutions, a so-called bulletproof hosting provider which has links to far-right websites.

Other key findings include:

  • At least ten types of malware were traced back to the servers; Dridex, Gootkit, IcedID, Nymaim, Trickbot, Fareit, Neutrino, AZORult, Gandcrab and Hermes.
     
  • The emails and infected documents used in the campaigns were all English and targeted US companies – 42% of infected documents claimed to be job applications or CVs and a further 21% posed as unpaid invoices
     
  • The same servers are being reused multiple times, either pairing first and second stage malware for the same campaign, or hosting different campaigns on a weekly basis – one web server hosted and distributed six different malware families over 40 days in 2018
     
  • Due to similarities between the distribution method and the tactic, techniques and procedures, it’s likely these servers are part of the infamous Necurs botnet.

A spokesperson from Bromium Labs comments: “The variety of malware found and the separation of command and control from hosting and distribution suggests the existence of separate threat actors; one for developing and operating the malware, the other for executing the phishing campaigns.

“It’s the malware equivalent of Amazon fulfilment and suggests a very close relationship, making it possible for malware to be developed and delivered to inboxes in a matter of hours.

“Worryingly, this cybercrime business model offers hackers based outside of the US with a convenient way to avoid geoblocks on content from restricted countries like North Korea, Russia or Iran – ensuring their malware can reach its intended destination.”

The threat data was obtained from malware captured and rendered harmless inside Bromium secure containers, which allowed security researchers to watch how malware behaves, what actions it tries to execute, data it tries to access and where it originated from.

The spokesperson added: “These findings demonstrate the enduring effectiveness of phishing to spread malware and infect enterprise systems.

“Phishing emails have become harder to spot, and hackers know they only need to get it right once. To defend against these threats, organisations must adopt layered cybersecurity defences that utilise application isolation to contain malicious threats, while providing rich-threat telemetry about the hacker’s intent.

“This allows employees to get on with their jobs without worrying about being the source of a breach, and leaves cybercriminals unable to deliver the goods.”

Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
McAfee finds vulnerabilities in 'temi' the videoconferencing robot
Temi is commonly used in environments including businesses, healthcare, retail, hospitality, and other environments including the home.More
Link image
Webinar: Best practices for keeping your video chats secure
Video collaboration providers nowadays operate exclusively on a multi-tenant, public cloud - and security and privacy concerns have come into the spotlight. Here's how to secure your communications.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
Video: 10 Minute IT Jams - Who is CrowdStrike?
Today, Techday speaks to CrowdStrike ANZ channel director Luke Francis about the company's key products and offerings, its upcoming annual security conference, and the infrastructure it leverages in the A/NZ region.More