Ten Malware Families Spread in Rare use of US Web Servers

Bromium researchers have uncovered over a dozen servers, which are hosting ten different malware families spread via phishing campaigns and may be linked to the Necurs botnet. The servers are registered within the US, which is uncommon due to law enforcement’s extensive response to seize and remove malicious infrastructure. The main attack route appears to be phishing emails comprised of Microsoft Word files that hold malicious Visual Basic Application (VBA) macros. Campaigns tend to be US-centric, as emails are written in English and appear to be from US organizations such as the Centers for Disease Control and Prevention (CDC). According to Bromium, “Five families of banking Trojans -- Dridex, Gootkit, IcedID, Nymaim, and Trickbot -- two ransomware variants, Gandcrab and Hermes, as well as three information stealers, Fareit, Neutrino, and Azorult, were all found on the servers.” Threat actors were also observed hosting multiple malware families designed to work in tandem with each other. The most widespread bait was a job application and an unpaid invoice demand. For more information please read the ZDNet's articleThe NJCCIC recommends users refrain from clicking on links contained in suspicious emails. If the user is uncertain of the email’s legitimacy, we advise them to contact the sender via an alternate method. The NJCCIC encourages users who believe they may have been compromised to send a copy of the suspicious email to spamreport@cyber.nj.gov and to notify their agency ISO, Email Admin, or Helpdesk.