Ten nasty malware are currently having a field day infecting and using 10 corporate-level web hosting servers for further malware deployment to site visitors. The campaign which saw the progressive growth of Azorult, Gandcrab, Neutrino, Hermes, IcedID, Trickbot, Nymaim, Gootkit and Dridex in these 10 servers were linked to the Necurs botnet. It is a slap on the face of the U.S. law enforcement agencies, which were very successful in taking down physical servers of cybercriminals previous years. At the time of this writing, the same servers are still up and running, even one company hosting the infected server sells VPN services to their customers, an irony of many ironies.
“One possible reason for choosing a US hosting provider is so that the HTTP connections to download the malware from the web servers are more likely to succeed inside organizations that block traffic to and from countries that fall outside of their typical profile of network traffic,” explained Bromium.
Cybercriminals went out of their way and used a lot of infection vectors. These include phishing attempts, infected emails, Macro-virus Office documents and code injection methods in order to take over the servers. The Necurs botnet is unique in its category, given that its authors continue to enhance it with new features as it runs. The Phishing campaigns it promotes pretends to be a message of support for the Centers for Disease Control and Prevention (CDC), hence due to “sounding an alarm” within the message, the receivers of the message were duped into trusting its contents.
“The quick turnaround from compilation to hosting suggests an organized relationship between malware developers and the operators of the distribution infrastructure. Given the relative lull of Dridex activity for several months, this may be an indication of preparation for larger Dridex campaigns to come, or the adoption of HTTP basic authentication in other campaigns,” added Bromium.
It is a huge disadvantage if a firm use an internally-maintained email system, as it is very complex to operate an Exchange server today. Open Source alternatives exist, but also requires staff that are skilled enough when it comes to proper hardening of the software email infrastructure.
Many companies already moved to Gmail/Google Docs, which leaves the security responsibility for the infrastructure to the engineers of Google. The search giant employs strong anti-phishing algorithms and capable of measuring the emails compared to known sample phishing emails. Privacy advocates dislike Google’s open secret of scanning Gmail contents of users for the purpose of training its anti-phishing and anti-spam system, but practical users accept this kind of trade-off.
Companies are advised to implement their internal cybersecurity scheme, especially staff education when it comes to handling possible phishing messages and basic virus infection events. This is done either through the internal intervention of the IT team conducting user education audit or an externally hired penetration testing team. Such activities need to be considered not as a cost for the firm, but rather a very useful investment, as no other investment that is more productive than preventing your organization from falling to malware infestation or phishing attacks.
Related Sources :