Bromium uncovers US-based malware distribution center
More than a dozen US-based web servers targeted businesses with mass phishing campaigns
A recent investigation by virtualization company Bromium has discovered that US-based web servers were being used by cybercriminals to host and distribute banking trojans, information stealers and ransomware.
The firm analyzed its own threat data as well as public data between May 2018 and March 2019 to reveal that malicious threats were originating from web servers in Las Vegas, Nevada registered under the name PONYNET and hosted on BuyVM data centers.
BuyVM is actually owned by FranTech solutions which is a hosting provider that has previously been found to have links to far-right websites.
- How web hosting affects security
- IoT devices now top priority for cybercriminals
- What are the different types of web hosting?
Bromium's team found at least ten types of malware that could be traced back to the servers including Dirdex, Gootkit, IcedID, Nymaim, Trickbot, Fareit, Neutrino, AZORult, Gandcrab and Hermes.
Malware distribution
Further investigation of the emails and infected documents used in the campaigns revealed that they all in English and targeted US companies. 42 percent of the infected documents claimed to be job applications or resumes and an additional 21 percent posed as unpaid invoices.
The cybercriminals behind the malware attacks even used the same servers multiple times, either pairing first and second stage malware for the same campaign or hosting different campaigns on a weekly basis.
A Bromium spokesperson provided further insight on the discovery, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“These findings demonstrate the enduring effectiveness of phishing to spread malware and infect enterprise systems. Phishing emails have become harder to spot, and hackers know they only need to get it right once. To defend against these threats, organizations must adopt layered cybersecurity defenses that utilize application isolation to contain malicious threats, while providing rich-threat telemetry about the hacker’s intent. This allows employees to get on with their jobs without worrying about being the source of a breach, and leaves cybercriminals unable to deliver the goods.”
- Keep your devices protected with the best antivirus and we've also highlighted the best web hosting
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.