It is suspected that the servers may be connected to the Necurs botnet operators.
Researchers have uncovered over a dozen servers, unusually registered in the United States, which are hosting ten different malware families spread through phishing campaigns potentially tied to the Necurs botnet.
On Thursday, researchers from Bromium said they have monitored scams connected to this infrastructure during the May 2018 to March 2019 time period.
Five families of banking Trojans — Dridex, Gootkit, IcedID, Nymaim, and Trickbot — two ransomware variants, Gandcrab and Hermes, as well as three information stealers, Fareit, Neutrino, and Azorult, were all found on the servers.
It is unusual for such malware to be found on infrastructure hosted in the US, given the country’s law enforcement agencies are generally quick off the mark to seize and take down malicious infrastructure when informed of its existence.
One of the servers belongs to a single autonomous system and is a so-called “bulletproof” hosting service, which generally turns a blind eye to the subject material hosted, whether or not it is malicious or illegal. Another 11 servers involved belong to a company which is based in Nevada and sells virtual private server (VPS) hosting.