sb-eu logo
Story image

Necurs botnet erupts from dormancy to churn out 100,000 spam emails over Easter

05 Apr 2018

One of the world’s largest spam botnets is back in action and this time it is spreading a Trojan downloader that can deliver a number of nasty malware surprises.

Just prior to Easter weekend, the Necurs botnet ramped up its activity by churning out approximately 100,000 emails in a single day. A few days prior, approximately 5000 emails were sent out.

The activity follows what Check Point dubbed a ‘relatively quiet’ month for the botnet.

“The low volumes seen at the earlier date indicate that that may have been an initial test before the main wave emerged.”

The spam emails mimicked purchase orders or document copies – two of the most common malware delivery methods.  The sender’s email address follows a similar pattern and begins with ‘netadmin’, Check Point explains in a blog.

“The emails have an attached archive containing a file with a URL. The URL files communicate with hosts in order to download an additional WSF file containing obfuscated JavaScript. This script is used to retrieve a QuantLoader payload, which, in turn, may download additional executables.”

Check Point notes that the Necurs botnet is notorious for distributing a number of malware families in the past, including both the Locky, Globe and Jaff ransomwares.

Because the Necurs botnet has suddenly engaged in a flurry activity after being dormant, it demonstrates how manware can quickly re-emerge.

“Despite Necurs being well known to the security community, hackers are still enjoying success distributing malware with this highly effective infection vehicle,” Check Point says.

In November last year researchers spotted cybercriminals who were using Necurs to distribute the Scarab ransomware – a relatively new ransomware variant first discovered in June 2017.

Necurs also featured eighth in Check Point’s ‘most wanted’ malware for the month of December 2017.

“Necurs botnet started mass distribution of Scarab during the U.S. Thanksgiving holiday, sending over 12 million emails in a single morning,” Check Point says.

“This reinforces the need for advanced threat prevention technologies and a multi-layered cybersecurity strategy that protects against both previously encountered, established malware families as well as brand new, zero-day threats.”

Check Point’s ThreatCloud intelligence is a collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors.

The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More
Story image
Misinformation on the rise, organisations consider how best to respond
The increase in misinformation and fake domains have left organisations perceiving the threat level to be ‘very significant’, with a third planning greater emphasis on their ability to respond in coming months.More
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More
Story image
OT networks warned of vulnerabilities in CodeMeter software
Manufacturers using the Wibu-Systems CodeMeter third-party licence management solution are being urged to remain vigilant and to urgently update the solution to CodeMeter version 7.10.More
Story image
Emotet malware is on a rampage after months of silence
CERT agencies around the world are reporting a surge in cyber attacks related to the Emotet malware, which is being distributed by email.More
Story image
Strong cybersecurity posture crucial for company success - Fortinet
"They should also conduct due diligence to ensure partners aren’t inadvertently creating vulnerabilities with insufficient cybersecurity measures."More