Microsoft has published the results of its research on systems used to send millions of emails, which distribute at least seven different types of malware.
The tech giant has identified two elements of the new email infrastructure it discovered in March and April 2020, which it followed for the rest of the year. The first section of infrastructure calls it StrangeU because he often uses the word "strange" in news domains. It second part uses a domain creation algorithm - a technique for randomly generating domain names - and so it was named RandomU.
Microsoft 365 Defender Threat Intelligence Team security researchers report that the appearance of this infrastructure last March was linked to its shutdown I miss you botnet, which resulted in the reduction of the service. Necurs was a big and long one botnet with a history in the distribution of banking trojan Dridex, having also been used for distribution ransomware, remote access trojans and trojans that steal information. Necurs is an example of a "rental business" that leases delivery capability as a service while allowing intruders to focus on producing malware.
According to Microsoft, the StrangeU and RandomU infrastructure appear to be filling the service gap created by the Necurs disruption, proving that intruders have a strong incentive to adapt quickly to their business downtime.
This infrastructure was originally used to distribute commodity malware, but in September 2020 Dridex operators and Trickbot they also started using it. Trickbot was removed last October, but reappeared in January 2021 and acquired a new component that scans local area networks for valuable open ports, which can be attacked later.
According to ZDNet, some of the malicious campaigns that have used the StrangeU and RandomU infrastructure since March 2020 are the following:
- Korean Phishing campaigns distributing Makop ransomware in April and June
- Emergency alerts distributed by Mondfoxia in April
- A "Black Lives Matter" lure released by Trickbot in June
- The Dridex campaign spread through StrangeU and other infrastructure from June to July
- The Dofoil (SmokeLoader) campaign in August
- Emotet and Dridex activities in September, October and November
On June 10, the security company Fortinet reported a massive phishing campaign with malicious attachments Word and topic headings that seemed to target people who support the movement Black Lives Matter. The malicious emails asked users to comment on the movement. Microsoft notes that these campaigns mainly targeted corporate email accounts in the US and Canada. In addition, these were small campaigns, orchestrated in such a way that they were not easily traceable.
Dridex's campaigns from late June to July also used StrangeU to breach corporate email accounts for document delivery. Excel with malicious macros.
Finally, Microsoft explains the following: "As attacks continue to escalate, the tactics used by attackers to deliver phishing emails, gain initial access to systems and move sideways on networks will become increasingly varied. "This research shows that despite the various variants and resilience that hackers have 'built', the basic tactics and tools they use are still limited, based on known malicious macros, lures and sending tactics."