Scammers used data centers located in the United States to launch nasty strains of malware against English-speaking web users, according to Bromium research published Thursday.
The hacking campaign lasted from May 2018 to last month, and included five families of banking trojans, two families of ransomware and three forms of malware meant to collect victims’ personal information. The cybercriminal operation relied on U.S. data centers, with 11 web servers hosted at BuyVM, a virtual private server company in Nevada.
The location alone makes this operation unusual, Bromium noted, because hackers typically organize in areas outside the FBI’s reach.
“It was interesting to us that the hosting infrastructure is located in the United States and not a jurisdiction that is known to be uncooperative with law enforcement,” the researchers explained. “One possible reason for choosing a U.S. hosting provider is so that the HTTP connections to download the malware from the web servers are more likely to succeed inside organisations that block traffic to and from countries that fall outside of their typical profile of network traffic.”
Researchers also found evidence that may link this activity to the Necurs botnet. That global crime network has been active for seven years, and used to deliver spam and malware ranging from Dridex to Locky, once found in more than 14 million emails in a single week. The hackers behind Dridex have been using the Necurs botnet to distribute their malware since 2016, the report noted.
“Given the similarities between the campaigns delivering Dridex and the other malware families we identified, it is possible that this collection of web servers is part of the malware hosting and distribution infrastructure used by the operators of the Necurs botnet,” it went on. “All the hosted malware we examined has been linked to high-volume malicious spam campaigns that are consistent with the tactics, techniques and procedures (TTPs) and distribution-as-a-service business model of the Necurs botnet.”