In April this year, while doing a review of available threat data, a cybersecurity company noticed that a bunch of malware families is being hosted on ten US web servers. The actors who owned these threats also used the servers to launch phishing attacks that exploited social engineering techniques to infect computers with malware through malicious Microsoft Word Documents. The corrupted email attachments contained malicious Visual Basic Applications (VBA) macros which loaded the dangerous payload on the target machine.
The threat families in question consisted of five banking malware families - Gootkit, Nymaim, IcedID, Trickbot, and Dridex; three groups of data stealers - Neutrino, Fareit, and AZORult; and two ransomware strains - Hermes and GandCrab. Often, one malware family served as a dropper for another one.
The researchers came across one of the servers hosting Dridex in March 2019. From previous studies, the company knows that since 2016 the cyber crooks behind Dridex are using the Necurs botnet for the distribution of the malware, while some similarities between the Dridex campaigns and the campaigns that pushed some of the other malware threats were observed as well. Given these facts, the researchers made the hypothesis that the cybergang behind Necurs is using the web servers as part of their network for malware distribution. That hypothesis also appears in relation to certain changes that the operators of the Necurs botnet introduced over the years. For example, in June 2018, new capabilities were added to the botnet, like Necurs was suddenly enabled to deliver XMRig crypto miner, as well as push put malicious scripts that could extract email addresses. A few months later, researchers discovered that Necurs distributed Flawed Ammyy remote access Trojan using PUB files.
Meanwhile, new data about the operators of Dridex has emerged as well. Apparently, the same attackers created a ransomware strain named FriedEx in January 2018. Then, a year later, researchers found out that Dridex, BitPaymer, Emotet, and Ursnif are all related to a similar loader.
Regular education events for employees on how to recognize phishing emails can help organizations defend their systems against malware threats distributed through spam campaigns. Another means of protection is a leverage tool such as a VBA editor that can extract and analyze macro codes included in attached Microsoft Office documents that could potentially contain malicious payloads.