Microsoft has posted an extensive account of its investigation of the systems used to fire out millions of emails distributing at least seven different types of malware.
Microsoft identifies two elements of the new email infrastructure it discovered in March and April, and then tracked for the rest of the year. It calls the first segment StrangeU because of it often using the word "strange" in new domains. The second segment used a domain generation algorithm, a technique for creating domain names randomly, and was thus dubbed RandomU.
"The emergence of this infrastructure in March dovetailed with the disruption of the Necurs botnet that resulted in the reduction of service," security researchers from the Microsoft 365 Defender Threat Intelligence Team said.
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
Necurs was a large and long-running botnet with a history in delivering the Dridex banking trojan, but it's also been used to distribute ransomware, remote access trojans, and information-stealing trojans.
Necurs is an example of a for-hire operation that leases delivery capacity as a service, while allowing attackers to focus on malware production.
"The StrangeU and RandomU infrastructure appear to fill in the service gap that the Necurs disruption created, proving that attackers are highly motivated to quickly adapt to temporary interruptions to their operations," Microsoft notes.
The new email infrastructure has predominantly targeted machines in the US, Australia, and the UK in the wholesale distribution, financial services, and healthcare industries.
Initially, it was used to distribute commodity malware, but in September the Dridex and Trickbot operators started using the infrastructure too. Trickbot was taken down last October, but reappeared in January and has gained a new component that scans local networks for valuable open ports that can be attacked later.
Some of the notable campaigns using StrangeU and RandomU since March include:
- Korean spear-phishing campaigns that delivered Makop ransomware in April and June
- Emergency alert notifications that distributed Mondfoxia in April
- Black Lives Matter lure that delivered Trickbot in June
- Dridex campaign delivered through StrangeU and other infra from June to July
- Dofoil (SmokeLoader) campaign in August
- Emotet and Dridex activities in September, October, and November
On June 10, security firm Fortinet reported a mass email campaign with malicious Word attachments and subject headers that appeared to target people sympathetic to the BLM movement. The emails purported to seek feedback on the movement. As Microsoft notes, multiple campaigns that month carried Trickbot.
Microsoft notes these campaigns mostly targeted corporate email accounts in the US and Canada and avoided consumer accounts. The campaigns were also small, designed to evade detection.
The Dridex campaigns from late June and through July used StrangeU and compromised corporate email accounts to deliver Excel documents with malicious macros.
Despite all this complexity, Microsoft notes that many of the fundamentals remain the same.
"As attacks continue to grow in modularity, the tactics that attackers use to deliver phishing email, gain initial access on systems, and move laterally will continuously become more varied. This research shows that despite these disparities and the increased resiliency attackers have built, the core tactics and tools that they use are still limited in scope, relying repeatedly on familiar malicious macros, lures, and sending tactics," it said.