Security researchers at Bormium recently discovered over a dozen US-based servers being used to host and distribute 10 different strains on malware through large scale phishing campaigns.
The servers under scrutiny are owned and operated by FranTech Solutions, a hosting provider that uses a data center out of Nevada. The malware hosted on these servers features five families of banking trojans, including Dridex and IcedIn, two families of ransomware, and three information stealers.
Researchers believe there are two threat actors at play here - one responsible for email and hosting, and others in charge of operating the malware. The phishing campaign uses common social engineering tactics trying to trick recipients into running malicious VBA macros on an attached Word document, resulting in a covert malware download.
Bromium believes that the US was chosen for this attack instead of a country more tolerant of malicious online activity in an effort to enable a higher success rate with the mainly US-based targets, claiming, "The HTTP connections to download the malware from the web servers are more likely to success inside organizations that block traffic to and from countries that fall outside of their typical profile of network traffic."
It's imperative that organizations have proper malware detection protections in place to protect critical assets from known threat and zero-day attacks. NNT Change Tracker Gen72 provides continuous protection and deep visibility into system changes, identifying ransomware and other types of dangerous malware before they can carry out an attack.