A new report on elements of the new email infrastructure has been published by Microsoft, according to which this new email infrastructure was utilized to send out more than a million malware attached/infected emails every month. Seven different types of malware were distributed utilizing this infrastructure and it is also being considered a replacement after the Necurs botnet being destroyed.
This infrastructure first emerged in the previous year, around March & April 2020, and from that exact moment, Microsoft has been keeping an eye and analyzing this email infrastructure. Microsoft in its blog post said, “By tracing these campaigns, we uncovered a sprawling infrastructure that is robust enough to seem legitimate to many mail providers, while flexible enough to allow the dynamic generation of new domain names and remain evasive. Shared IP space, domain generation algorithm (DGA) patterns, subdomains, registrations metadata, and signals from the headers of malicious emails enabled us to validate our research through overlaps in campaigns where attackers utilized multiple segments of purchased, owned, or compromised infrastructure. Using the intelligence we gathered on this infrastructure, we were at times able to predict how a domain was going to be used even before campaigns began.”
As per Microsoft, this email infrastructure has mainly two segments, which are known as the StrangeU and the RandomU. The StrangeU signifies utilizing the Strange word in new domains and the RandomU signifies building domain names randomly.
This email infrastructure, containing StrangeU and RandomU elements, has mainly focused on sectors of healthcare, financial services, and wholesale distribution specifically located in the U.K., Australia, and the USA.
In addition, it has been observed that this email infrastructure has been avoiding consumer accounts and is mostly focused and used to attack corporate email accounts. This attacking includes from commodity malware like the Makop & Mondfoxia to transmitting persistent malware involving Trickbot, Emotet, Dridex, Dofoil, and Doppelpaymer.
Microsoft explained that the initial fundamentals to access systems are still the same but the core tools and tactics include emergency notifications, fake alerts, trendy lures, and spear-phishing emails.
Similar campaigns/operations have occurred in previous months which utilized email infrastructure to target valuable victims. In the previous month, some attackers/hackers somehow managed to hijack the email security associations of the Mimecast issued certificate which was utilized to validate its products to the Microsoft 365 exchange web service with the only reason to keep an eye and observe targets.
Microsoft hinted, “As attacks continue to grow in modularity, the tactics that attackers use to deliver phishing email, gain initial access on systems, and move laterally will continuously become more varied. This research shows that despite these disparities and the increased resiliency attackers have built, the core tactics and tools that they use are still limited in scope, relying repeatedly on familiar malicious macros, lures, and sending tactics.”
The increasing use of advanced techniques, for instance, dynamic domain-name generation for the infrastructure of emails, highlights that the cybercrime groups/cyber criminals are regularly investing to enhance email-based attack strategies. Keeping this in mind security for email networks needs an improvement or upgrade to avoid being a victim to such campaigns.