Endpoint protection solutions provider Bromium announced that it uncovered US-based web servers that are being used to host and distribute banking trojans, information stealers and ransomware.
Analysis of public data and Bromium threat data between May 2018 and March 2019 showed the malicious threats were originating from web servers registered under the name PONYNET and hosted on BuyVM data centres in Las Vegas, Nevada.
BuyVM is owned by FranTech solutions, a so-called bulletproof hosting provider which has links to far-right websites.
Other key findings include:
A spokesperson from Bromium Labs comments: “The variety of malware found and the separation of command and control from hosting and distribution suggests the existence of separate threat actors; one for developing and operating the malware, the other for executing the phishing campaigns.
“It’s the malware equivalent of Amazon fulfilment and suggests a very close relationship, making it possible for malware to be developed and delivered to inboxes in a matter of hours.
“Worryingly, this cybercrime business model offers hackers based outside of the US with a convenient way to avoid geoblocks on content from restricted countries like North Korea, Russia or Iran – ensuring their malware can reach its intended destination.”
The threat data was obtained from malware captured and rendered harmless inside Bromium secure containers, which allowed security researchers to watch how malware behaves, what actions it tries to execute, data it tries to access and where it originated from.
The spokesperson added: “These findings demonstrate the enduring effectiveness of phishing to spread malware and infect enterprise systems.
“Phishing emails have become harder to spot, and hackers know they only need to get it right once. To defend against these threats, organisations must adopt layered cybersecurity defences that utilise application isolation to contain malicious threats, while providing rich-threat telemetry about the hacker’s intent.
“This allows employees to get on with their jobs without worrying about being the source of a breach, and leaves cybercriminals unable to deliver the goods.”