Threat Group Employs Amazon-Style Fulfillment Model to Distribute Malware

A threat group with possible connections to the operators of the notorious Necurs botnet has employed what security vendor Bromium this week described as an Amazon-style fulfillment model to host and distribute malware on behalf of other cybercriminals.

The group is using a collection of more than one dozen US-based servers to help attackers distribute a variety of ransomware, banking Trojans, and other malware to targets located mostly within the country.

The IP addresses of the hosting servers belong to a single autonomous system — or range of IP addresses — registered with a so-called “bulletproof” hosting company in the US. Eleven of the servers hosting malware are located in a single data center in Nevada belonging to the company.

Typically, malware hosting servers are located in jurisdictions known to be uncooperative with law enforcement. The fact that this particular group is operating from within the US using a highly consolidated set of servers is significant, says a malware researcher at Bromium, who did not wish to be identified.

Read more: Dark Reading