Wednesday, December 6, 2023

Hackers Used US-based Web Servers to Distribute 10 Malware Families Via Weaponized Word Documents

Hackers used hosting infrastructure in the United States to host 10 malware families and distributed them through mass phishing campaigns.

The hosted malware families include five banking Trojans, two ransomware and three information stealer malware families. The malware includes familiar ones such as Dridex, GandCrab, Neutrino, IcedID, and others.

[table id=5 /]

Bromium has tracked the operations so closer for a year and says, “Multiple malware families were staged on the same web servers and subsequently distributed through mass phishing campaigns.”

Cybercriminals reuse the same servers to host different malware that indicates collaboration of common entity between the malware operators.

The malware families hosted in the server but they have separation with C2 servers, which indicates one threat actor responsible for email and hosting and another for malware operations.

Malware Families & Campaigns

Attackers distribute the malware through phishing campaigns that malicious word documents and utilize the social engineering tricks to lure victims in executing the embedded VBA macro.

According to Bromium, “the malware identified primarily targets an anglophone audience because all the phishing emails and documents we examined from campaigns linked to the hosting infrastructure were written in English.”

The malware hosted servers run the default installations of CentOS and Apache HTTP, and the payloads are compiled and hosted in less than 24 hours.

All the malware are distributed with phishing emails that carry macro embedded malicious word documents that contain links pointed to malware hosted servers.

Malware Families

“63% of the campaigns delivered a weaponized Word document that was password protected, with a simple password in the message body of the email, such as ‘1234’ or ‘321’,” Bromium said.

The recent report from IBM, states that the major cybercrime groups connected together in explicit collaboration and continues to exchange their scripts, tactics, and techniques to bypass the security measures and to evade from law enforcement agencies.

You can find the IOCs in Bromium report.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles