The operators of the Necurs botnet are using a collection of US-based servers to send out banking Trojans, ransomware, and other malware on behalf of other cybercriminals.
A threat group with possible connections to the operators of the notorious Necurs botnet has employed what security vendor Bromium this week described as an Amazon-style fulfillment model to host and distribute malware on behalf of other cybercriminals.
The group is using a collection of more than one dozen US-based servers to help attackers distribute a variety of ransomware, banking Trojans, and other malware to targets located mostly within the country.
The IP addresses of the hosting servers belong to a single autonomous system — or range of IP addresses — registered with a so-called “bulletproof” hosting company in the US. Eleven of the servers hosting malware are located in a single data center in Nevada belonging to the company.
Typically, malware hosting servers are located in jurisdictions known to be uncooperative with law enforcement. The fact that this particular group is operating from within the US using a highly consolidated set of servers is significant, says a malware researcher at Bromium, who did not wish to be identified.
“One benefit of the infrastructure being in the US is that the connections to download the malware are more likely to succeed inside organizations that block traffic to and from countries outside of their typical profile of network traffic.”
Bromium has been tracking the group’s operation for close to a year and says it has observed the US-based servers being used to host at least five families of banking Trojans, two ransomware families, and three information stealers. The malware includes the Dridex banking Trojan, GandCrab ransomware, and the Neutrino exploit kit.
Evidence suggests that a single group is hosting the malware and also distributing it via …
Author: Jai Vijayan Freelance writer