Bulletproof 'Amazon' for malware uncovered by researchers

News by Davey Winder

New research reveals a large-scale fulfilment centre for malware-distributing phishing campaigns described by researchers as being "a malware version of Amazon's fulfilment model."

New research reveals a large-scale fulfilment centre for malware-distributing phishing campaigns being run from a bulletproof web host in the United States. The Bromium threat researchers describe the operation as being "a malware version of Amazon’s fulfilment model."

Researchers discovered a bunch of web servers in the United States that are actively being used to distribute a large-scale spam campaign featuring a veritable who's who of malware families. The fact that the hosting infrastructure, thought to be part of the Necurs botnet, is located in the US rather than a jurisdiction less cooperative with law enforcement demands appears risky; but the threat actors are actually playing clever here.

It is thought that the location has been chosen in order for the HTTP connections required to download the malware payloads to have more chance of making it through the enterprise defences of US-based targets which might otherwise block traffic outside of their typical network patterns. The US-centric nature of the fulfilment centre continues in that many of the phishing baits examined by the researchers were primarily relevant to that US audience. For example, one campaign used emails purporting to originate from the Centres for Disease Control and Prevention, a US government federal agency.

Unlike many other campaigns, this fulfilment centre seems to enforce HTTP basic authentication as a "means of preventing the executable from being downloaded without a correct username and password" according to the researchers. This is most likely to have been implemented to make investigative analysis by researchers harder, or at least slower, as such analysis would require access to the Word dropper itself or the proxy logs/full packet capture of network traffic containing the HTTP request.

Multiple malware families have been found to be active on the servers at this 'bulletproof' web host, covering everything from ransomware to data stealers and Trojans. The high-profile malware includes examples of Dridex, GandCrab, Neutrino, Hermes, AZORult, IcedID, Trickbot and Gootkit. As well as multiple malware families being distributed, the campaign also appears to have distinct threat actors involved: one being responsible for hosting and others the operational side of the malware itself.

Commonality can be found, however, in the attack vector used for all of the disparate campaigns: good old-fashioned phishing emails delivering Microsoft Word documents spiked with malicious VBA macros. "What makes these campaigns stand out is the scale and variety of malware families that was hosted on the web servers" Alex Holland, the Malware Analyst at Bromium who conducted the research said in conversation with SC Media UK, continuing "different groups of developers are regularly updating their malware with new features, whilst a separate group works on mass phishing campaigns to distribute them. This means new variants of malware can be delivered to inboxes in a matter of hours, increasing the risk of someone taking the bait."

So, should the enterprise be doing anything different to best practice mitigation methods to stave off this particular threat? "Network rules should prevent any Word doc containing macros in particular from being downloaded, as macros are a very common attack vector," Paul Bischoff, privacy advocate with Comparitech.com advises, adding "employees should also be trained not to click on links or attachments in unsolicited emails."

However, as Holland points out, "many enterprises have a legitimate business justification for using macros, which goes some way to explain why macro-based droppers are still effective at infecting users." To help defend against this, enterprises must adopt layered cyber-security defences that utilise application isolation to isolate risky activities like opening Office documents, hyperlinks and untrusted files. "With each task opened in a virtual machine, threats like Dridex, Gandcrab and Hermes are rendered harmless, even if an employee has opened a malicious file" Holland explains, concluding "the attacker will have nowhere to go and nothing to steal, keeping critical intellectual property protected and helping organisations stay one-step ahead of new tactics and techniques used by cyber-criminals."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews