Story image

Necurs botnet erupts from dormancy to churn out 100,000 spam emails over Easter

05 Apr 18

One of the world’s largest spam botnets is back in action and this time it is spreading a Trojan downloader that can deliver a number of nasty malware surprises.

Just prior to Easter weekend, the Necurs botnet ramped up its activity by churning out approximately 100,000 emails in a single day. A few days prior, approximately 5000 emails were sent out.

The activity follows what Check Point dubbed a ‘relatively quiet’ month for the botnet.

“The low volumes seen at the earlier date indicate that that may have been an initial test before the main wave emerged.”

The spam emails mimicked purchase orders or document copies – two of the most common malware delivery methods.  The sender’s email address follows a similar pattern and begins with ‘netadmin’, Check Point explains in a blog.

“The emails have an attached archive containing a file with a URL. The URL files communicate with hosts in order to download an additional WSF file containing obfuscated JavaScript. This script is used to retrieve a QuantLoader payload, which, in turn, may download additional executables.”

Check Point notes that the Necurs botnet is notorious for distributing a number of malware families in the past, including both the Locky, Globe and Jaff ransomwares.

Because the Necurs botnet has suddenly engaged in a flurry activity after being dormant, it demonstrates how manware can quickly re-emerge.

“Despite Necurs being well known to the security community, hackers are still enjoying success distributing malware with this highly effective infection vehicle,” Check Point says.

In November last year researchers spotted cybercriminals who were using Necurs to distribute the Scarab ransomware – a relatively new ransomware variant first discovered in June 2017.

Necurs also featured eighth in Check Point’s ‘most wanted’ malware for the month of December 2017.

“Necurs botnet started mass distribution of Scarab during the U.S. Thanksgiving holiday, sending over 12 million emails in a single morning,” Check Point says.

“This reinforces the need for advanced threat prevention technologies and a multi-layered cybersecurity strategy that protects against both previously encountered, established malware families as well as brand new, zero-day threats.”

Check Point’s ThreatCloud intelligence is a collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors.

The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.