Microsoft has posted an extensive account of its investigation of the systems used to fire out millions of emails distributing at least seven different types of malware.
Microsoft identifies two elements of the new email infrastructure it discovered in March and April, and then tracked for the rest of the year. It calls the first segment StrangeU because of it often using the word "strange" in new domains. The second segment used a domain generation algorithm, a technique for creating domain names randomly, and was thus dubbed RandomU.
Necurs is an example of a for-hire operation that leases delivery capacity as a service, while allowing attackers to focus on malware production.
"The StrangeU and RandomU infrastructure appear to fill in the service gap that the Necurs disruption created, proving that attackers are highly motivated to quickly adapt to temporary interruptions to their operations," Microsoft notes.
The new email infrastructure has predominantly targeted machines in the US, Australia, and the UK in the wholesale distribution, financial services, and healthcare industries.
Microsoft notes these campaigns mostly targeted corporate email accounts in the US and Canada and avoided consumer accounts. The campaigns were also small, designed to evade detection.
The Dridex campaigns from late June and through July used StrangeU and compromised corporate email accounts to deliver Excel documents with malicious macros.
Despite all this complexity, Microsoft notes that many of the fundamentals remain the same.
"As attacks continue to grow in modularity, the tactics that attackers use to deliver phishing email, gain initial access on systems, and move laterally will continuously become more varied. This research shows that despite these disparities and the increased resiliency attackers have built, the core tactics and tools that they use are still limited in scope, relying repeatedly on familiar malicious macros, lures, and sending tactics," it said.